[Bug 19886] New: Two Factor Authentication: Yubikey

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] New: Two Factor Authentication: Yubikey

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

            Bug ID: 19886
           Summary: Two Factor Authentication: Yubikey
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: Authentication
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]
                CC: [hidden email]

We need to add support for  Two Factor Authentication, because password isn't
enough against hackers or unathorised acess.

Yubikey is USB hardware
    FIDO U2F
    Secure Static Passwords
    smart card (PIV)
    Yubico OTP
    Code Signing
    OpenPGP
    OATH-TOTP
    OATH-HOTP
    Challenge-Response

https://www.yubico.com/product/yubikey-4-series/

Yubikey Perl support
https://developers.yubico.com/yubico-perl-client/

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

Mike <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email],
                   |                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

Jon Knight <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #1 from Jon Knight <[hidden email]> ---
Is this something that needs to be built into Koha, or is it better to make use
of existing third party systems such as PrivacyIDEA
(https://www.privacyidea.org/) that can be used in conjuction with normal SSO
mechanisms?  For example we (Loughborough University) have tested Yubikeys with
PrivacyIDEA and simpleSAMLphp IdP and it works, and we already know that Koha
can use the SAML2.0 authentication assertions from the IdP (as that's what
we're doing in production with PTFS-E).  PrivacyIDEA also can also support
Google Authentication as suggested in Bug 19887.

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

Magnus Enger <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]
           See Also|                            |https://bugs.koha-community
                   |                            |.org/bugzilla3/show_bug.cgi
                   |                            |?id=19887

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

Magnus Enger <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |20476


Referenced Bugs:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476
[Bug 20476] Two factor authentication for the staff client - omnibus
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

Sally Healey <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sally.healey@cheshireshared
                   |                            |services.gov.uk

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

--- Comment #2 from Michal Denar <[hidden email]> ---
Hi,
here some useful informations for implementing U2F in Perl
http://blogs.perl.org/users/mschout/2018/01/testing-fidou2f-two-factor-authentication.html

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

Michal Denar <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |In Discussion

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

David Cook <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

Ray Delahunty <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #3 from Ray Delahunty <[hidden email]> ---
Koha needs additional layers of authentication. With the spread of equipment
such as Amazon-locker type units to hold (often expensive) items obtained for
interlibrary loan, and kit such as laptop loan units, there is the danger of
unauthorised use via SIP2. Sites using RFID user cards with the cardnumber
embedded on them are vulnerable to stock loss if a user card is lost and then
found and used maliciously. Adding PIN functionality (for example) would reduce
this risk.

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

--- Comment #4 from David Cook <[hidden email]> ---
(In reply to Jon Knight from comment #1)
> Is this something that needs to be built into Koha, or is it better to make
> use of existing third party systems such as PrivacyIDEA
> (https://www.privacyidea.org/) that can be used in conjuction with normal
> SSO mechanisms?  For example we (Loughborough University) have tested
> Yubikeys with PrivacyIDEA and simpleSAMLphp IdP and it works, and we already
> know that Koha can use the SAML2.0 authentication assertions from the IdP
> (as that's what we're doing in production with PTFS-E).  PrivacyIDEA also
> can also support Google Authentication as suggested in Bug 19887.

I wonder about this as well. I'm fond of Keycloak for this purpose. It can use
SAML or OpenID Connect. I have a local OpenID Connect client I wrote for Koha,
and I've thought about using Keycloak in the test plan for when I finish the
patches for Bugzilla...

That said, adding support to Koha would make it easy for people to have more
secure out of the box implementations without needing more third party
software.

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

--- Comment #5 from David Cook <[hidden email]> ---
(In reply to Ray Delahunty from comment #3)
> Koha needs additional layers of authentication. With the spread of equipment
> such as Amazon-locker type units to hold (often expensive) items obtained
> for interlibrary loan, and kit such as laptop loan units, there is the
> danger of unauthorised use via SIP2. Sites using RFID user cards with the
> cardnumber embedded on them are vulnerable to stock loss if a user card is
> lost and then found and used maliciously. Adding PIN functionality (for
> example) would reduce this risk.

Additional layers of authentication could be used for Staff Client login or
OPAC login, but I don't think the layers you describe are very realistic for
most libraries (ie I worked on the front lines of libraries for years and
getting patrons to remember a number or a card is hard enough in itself). I
also think they're a different use case than what is being described in this
bug report. But an interesting idea.

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

--- Comment #6 from David Cook <[hidden email]> ---
I'd be open to testing work to add support for Yubikey to Staff Client auth.

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

Aaron Sakovich <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #7 from Aaron Sakovich <[hidden email]> ---
The FIDO alliance has published a new website promoting FIDO2 for both
consumers and providers. FIDO2 includes Yubikey and other key vendor support,
as well as biometrics (facial scans and fingerprint), and personal PINs.

https://loginwithfido.com/provider/

This is an established and well-supported standard, defined by both the FIDO
Alliance and W3C's webauthn. Just dropping this here as I think it might be a
better, all-encompassing approach to authentication in general, beyond just
adding 2FA, and is way easier for the end-user with its multiple supported
authenticators, not just a single vendor's hardware key.

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 19886] Two Factor Authentication: Yubikey

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19886

--- Comment #8 from David Cook <[hidden email]> ---
(In reply to Aaron Sakovich from comment #7)

> The FIDO alliance has published a new website promoting FIDO2 for both
> consumers and providers. FIDO2 includes Yubikey and other key vendor
> support, as well as biometrics (facial scans and fingerprint), and personal
> PINs.
>
> https://loginwithfido.com/provider/
>
> This is an established and well-supported standard, defined by both the FIDO
> Alliance and W3C's webauthn. Just dropping this here as I think it might be
> a better, all-encompassing approach to authentication in general, beyond
> just adding 2FA, and is way easier for the end-user with its multiple
> supported authenticators, not just a single vendor's hardware key.

Sounds good to me.

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/