[Bug 20476] New: Two factor authentication for the staff client - omnibus
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Bug ID: 20476 Summary: Two factor authentication for the staff client - omnibus Change sponsored?: --- Product: Koha Version: master Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 - low Component: Staff Client Assignee: koha-bugs@lists.koha-community.org Reporter: magnus@libriotech.no QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Magnus Enger <magnus@libriotech.no> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |19886, 19887, 14319 --- Comment #1 from Magnus Enger <magnus@libriotech.no> --- Optional two factor authentication for the staff client would be A Very Good Thing, especially in light of GDPR in Europe. Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14319 [Bug 14319] Support for DuoSecurity 2FA Authentication https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886 [Bug 19886] Two Factor Authentication: Yubikey https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19887 [Bug 19887] Two Factor Authentication: Google Authenticator -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 --- Comment #2 from Magnus Enger <magnus@libriotech.no> --- There are plenty of ways to implement 2FA I guess (see the "Depends on" for this bug), so getting a system in place that could easily be extended with plugins would be super awesome. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Jon Knight <J.P.Knight@lboro.ac.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |J.P.Knight@lboro.ac.uk --- Comment #3 from Jon Knight <J.P.Knight@lboro.ac.uk> --- Is there an issue with using a pre-existing tool such as PrivacyIDEA (https://github.com/privacyidea/privacyidea) that already does 2FA (in lots of different forms)? Does it really need to be rolled into the Koha code base, rather than allowing sysadmins to use external 2FA support? They might need to do anyway if their Koha installation is just one small service in a much larger organisation that already uses 2FA, so if it was bolted inside Koha it would need to be done in a way that could be turned off if external 2FA services were being used. Just for completeness I should mention that we've tested PrivacyIDEA 2FA with YubiKeys tied into SAML2.0 authentication using simpleSAMLphp as the IdP and it works OK. Not deployed in production yet as someone would have to come up with a budget for all the Yubikeys we'd need! -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 --- Comment #4 from Magnus Enger <magnus@libriotech.no> --- I am not a 2FA expert, so whatever works is fine by me. Does implementing support for external 2FA mean we can not implement internal 2FA? If not, I think we should be open to both solutions. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 George Williams (NEKLS) <george@nekls.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |george@nekls.org -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 --- Comment #5 from George Williams (NEKLS) <george@nekls.org> --- So long as the two factor authentication is optional, I think this is a great idea. -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Sally Healey <sally.healey@cheshiresharedservices.gov.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |sally.healey@cheshireshared | |services.gov.uk -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |martin.renvoize@ptfs-europe | |.com See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=14319 -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Jonathan Druart <jonathan.druart+koha@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |28786 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786 [Bug 28786] Two-factor authentication for staff client - TOTP -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |m.de.rooy@rijksmuseum.nl -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |29873 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29873 [Bug 29873] 2FA: Generate QR code without exposing secret via HTTP GET -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Marcel de Rooy <m.de.rooy@rijksmuseum.nl> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |29894 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29894 [Bug 29894] 2FA: Add few validations, clear secret, send register notice -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Hanna Dehlin <hanna.dehlin@hkr.se> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |hanna.dehlin@hkr.se -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on|29873 | Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29873 [Bug 29873] 2FA: Generate QR code without exposing secret via HTTP GET -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |30588 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30588 [Bug 30588] Add the option to require 2FA setup on first login -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |29835 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29835 [Bug 29835] 2FA - ask for the password when 2FA is disabled -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Martin Renvoize <martin.renvoize@ptfs-europe.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |28787 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28787 [Bug 28787] Send a notice with the TOTP token -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Bug 20476 depends on bug 19887, which changed state. Bug 19887 Summary: Two Factor Authentication: Google Authenticator https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19887 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |DUPLICATE -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Bug 20476 depends on bug 28786, which changed state. Bug 28786 Summary: Two-factor authentication for staff client - TOTP https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=28786 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Bug 20476 depends on bug 29894, which changed state. Bug 29894 Summary: 2FA: Add few validations, clear secret, send register notice https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29894 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |31240 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31240 [Bug 31240] Search bar disappears on tow_factor_auth page -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Caroline Cyr La Rose <caroline.cyr-la-rose@inlibro.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Depends on| |31247 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31247 [Bug 31247] Staff interface 2FA blocks logging into the OPAC -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Jessie Zairo <jzairo@bywatersolutions.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jzairo@bywatersolutions.com | |, | |kelly@bywatersolutions.com -- You are receiving this mail because: You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Bug 20476 depends on bug 31247, which changed state. Bug 31247 Summary: Staff interface 2FA blocks logging into the OPAC https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31247 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to stable |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Bug 20476 depends on bug 31240, which changed state. Bug 31240 Summary: Search bar disappears on two_factor_auth page https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31240 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Bug 20476 depends on bug 30588, which changed state. Bug 30588 Summary: Add the option to require 2FA setup on first staff login https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30588 What |Removed |Added ---------------------------------------------------------------------------- Status|Pushed to master |RESOLVED Resolution|--- |FIXED -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Sam S <tech.sam@salinapublic.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |tech.sam@salinapublic.org --- Comment #6 from Sam S <tech.sam@salinapublic.org> --- I've been testing the module in our install, working great so far, but I noticed a few issues, both minor: 1. The authentication form field is not marked to be excluded from auto completion. Because of this, after several weeks of use, every time I click on the field, I see a list of all prior authentication codes used. This might be possible to be used in an attack to reverse-engineer the secret key using past codes and when they were entered. Information on how to disable auto completionon form fields can be found here: https://developer.mozilla.org/en-US/docs/Web/Security/Securing_your_site/Tur... 2. There's currently no option to "trust current device" something that most MFA modules include, so a user can mark a local device to be excluded from the MFA check for an amount of time (typically a month or so) -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 --- Comment #7 from Katrin Fischer <katrin.fischer@bsz-bw.de> --- (In reply to Sam S from comment #6)
I've been testing the module in our install, working great so far, but I noticed a few issues, both minor:
Hi Sam, thanks for your suggestions, would you mind filing them as separate bug reports linked to this one? You can use the "Blocks" in the new bugs or the "Depends on" in this one to link them. -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Sam S <tech.sam@salinapublic.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |33253 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33253 [Bug 33253] 2FA - Form not excluded from autofill -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Sam S <tech.sam@salinapublic.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |33254 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33254 [Bug 33254] 2FA - Trust Current Device -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Bug 20476 depends on bug 14319, which changed state. Bug 14319 Summary: Support for DuoSecurity 2FA Authentication https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14319 What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |30724 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30724 [Bug 30724] Add ability for administrator to reset a users 2FA -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |35210 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35210 [Bug 35210] 2FA: more flexibility -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |36011 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36011 [Bug 36011] 2FA authentication failure is incorrectly logged as success -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |35601 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=35601 [Bug 35601] Cannot go into Cataloging->Export when 2FA is enabled -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |31118 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31118 [Bug 31118] Allow to send the TOTP token by email when enabling 2FA -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |31912 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=31912 [Bug 31912] When enforcing 2FA we should alert the user -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |29836 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=29836 [Bug 29836] 2FA - provide a REST API challenge route -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |36564 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=36564 [Bug 36564] Koha staff interface logs out on homepage refresh with 2FA enforced -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 David Nind <david@davidnind.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |40545 Referenced Bugs: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=40545 [Bug 40545] Add a CLI script to manually reset 2FA settings -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes.
participants (1)
-
bugzilla-daemon@bugs.koha-community.org