Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Supporting Mongoid and Yubikey OTPs #5

Closed
eimermusic opened this issue May 28, 2013 · 4 comments
Closed

Supporting Mongoid and Yubikey OTPs #5

eimermusic opened this issue May 28, 2013 · 4 comments

Comments

@eimermusic
Copy link

Hi,
I was looking to extract some second factor auth stuff into a gem and found this to be a nice start. My requirements go a bit further in that I also need to support Yubikey and Mongoid.

I have a fork
https://github.com/eimermusic/devise_google_authenticator

Where I have:
• implemented support for Mongoid (3) (tests don't run Mongoid backend)
• Possibly broken AR support (tests still pass)
• Added Yubikey OTP support.
• Users can have Google (OATH TOTP) and Yubikey active at the same time and login using either one.
• Not aliasing create in sessions controller (using a before filter instead).
• Various other refactorings and changes.
• No new tests (yet) for my added features.

Because I have taken my fork 2 steps sideways I am not at all sure if any of it would be suitable to merge back. Let me know if you would like me to create some PRs for any of the changes.
@xntrik
Copy link
Contributor

xntrik commented Jun 26, 2013

I would certainly be interested in the Mongoid support - I believe the yubikey should probably remain separate? Although, this may be an ideal separate gem for Devise?

And any other tidyups / refactorings of my code would certainly be useful as most of it was hacked together.

@xntrik
Copy link
Contributor

xntrik commented Mar 28, 2014

I've since merged in Mongoid support .. are you still desiring Yubikey support as well?

@eimermusic
Copy link
Author

I should check that out. I have been working off my fork for a while.

I like the Yubikey. It is the only reasonably priced physical auth token I am aware of.

Here is my thinking. IMO Devise (rather warden) support for multi-factor is a bit of a mess. I cannot imagine having an app with 2-3 different multi factor plugins to support TOTP, SMS, Yubikey or anything else. If an app is to support multiple "second factors" one plugin to devise should do it all... or offer a pluggable system of its own.

The way I have it implemented is that you can have multiple "second factors" enabled at once. So the single form field takes a "code" and then figures out which type it is and validates it with the correct backend. So when I am at my desk the Yubikey is way faster than pulling out my phone but if I am caught without my Yubikey handy I can just enter a TOTP code instead.

Allowing multiple, code backends to validate technically lowers security, but with these two types it is not a problem in practise given that their format different and easily identified.

Ideally plugins of a MFA plugin should be able to register a code regex and a validation_handler or something like that. I have not gone down that road yet in my fork... maybe when I find another backend I want to support... like "backup codes" or something similar.

What's your take on all this?

@xntrik xntrik mentioned this issue Feb 8, 2015
Open
@xntrik
Copy link
Contributor

xntrik commented Feb 8, 2015

I'm going to close this issue, but track multi provider support in Issue #17

@xntrik xntrik closed this as completed Feb 8, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eimermusic @xntrik