Hi,
I can not think of a way how to get this to work with the drupal permission system and I don't have an actual case I would need this but how about the option to let "normal" users login without 2-factor auth but make it mandatory for users with higher permissions. The thing that get's in the way is the inheritance of permissions.
The point is that accounts with higher privileges should be more secure - now it's the other way round. Don't get me wrong I think I understand the intention and I really think "superadministrators" should be able to turn off 2-factor for their accounts because they hopefully know how to secure their account but I think of moderators or similar roles whose accounts should be secured because an attacker could do more harm with their accounts but I don't want any user dropping by for 1 or 2 comments have to deal with 2-factor auth.
Maybe it could be done by a new permission "Can use ga_login". I wouldn't mind if "normal" users couldn't use 2-factor auth at all and only administrators/moderators could use it at all.
Please see this as a nice to have or some random input not an actual feature request.
| Comment | File | Size | Author |
|---|---|---|---|
| #21 | 1834290-21-ga_login_2_step_refactor.patch | 8.54 KB | bkonetzny |
Comments
Comment #1
patoshi commentedYes this is an issue for me aswell. I only want moderators to be able to use 2 step authentication. now my customers are required to set this up when logging in, which is very cumbersome for a retail oriented site.
The permission should be changed to "LOGIN WITH CODE" instead of "LOGIN WITHOUT CODE" so this will work with other roles and goes around the drupal permissions system.
Comment #2
attiks commentedThere's a permission 'Login without code' to bypass the ga_login, we can add a new permisson 'Has to login with a code' so you can enforce this?
PS: For uid 1 we already have the account option 'Protect my account with two-factor-authentication'
Comment #3
patoshi commentedyes that would be a good idea.
Comment #4
Anonymous (not verified) commented@#2 I think that doesn't work. I enable 'Login without GA' for all user roles, then select for uid 1 "protect my account".
But then I cannot access this page: /user/1/ga_login
It just shows the user profile page, with no options to add GA.
Comment #5
attiks commented#4 I just tried it again, and it should work, can you try clearing your cache?
The tab should always be visible for uid 1
Comment #6
Anonymous (not verified) commentedOk it works, I forgot the configuration settings "force uid 1", I was looking at my user/1/edit page.
The issue I have is that anonymous users should not see the 'code' box. I would like to see a 2-step login page, like first login, then redirect to "enter your GA code".
Comment #7
attiks commentedRe-titling to reflect #6, patches are welcomed since I don't have any time to work on this.
Comment #8
ben coleman commentedThe original title pretty much expresses what I'm looking for. And the additional page for entering the GA code seems to be pretty much standard for other sites implementing GA. If I get time I'll look at doing a patch, but don't depend on it.
Comment #9
attiks commented#8 Any chance for a patch, so we can add this to the new release?
Comment #10
wiifmAlright, we have a pressing client need to implement two factor authentication but only for certain administrators (leaving the general public to not use this).
As the module presently stands, it is impossible to implement this functionality as the code is right there on the user login screen. This is causing side issues like the ones found in #2161125: Ga_login $account check assumes username is valid, displays errors if not.
I have re-written a large chunk of the module, here are some key changes:
element_validate_integer_positive()rather than custom codehook_form_FORM_ID_alter()rather thanhook_form_alter()- this is a performance issue as the later hook runs on every formmodule_load_include()callsAs this is such a fundamental change, I am after feedback from both the module maintainers and anyone interested in this functionality. If no module maintainer responds I will bump this to the webmasters queue ;)
Comment #11
attiks commented#10 Great work, some remarks, questions
you renamed the permissions, so we need an update function
Can we make so that an admin can choose to use 1 form or not?
Comment #12
attiks commentedJust a heads up that this patch will probably needs to be re-rolled since I committed some other patches, and we need an update function to rename the permissions and I would love to see an option to switch between single page or multi page form.
Comment #13
attiks commentedI cherry picked some parts of the patch and created #2208195: use hook_form_FORM_ID_alter
Comment #14
attiks commentedBack to NW for the two-step form
Comment #15
bkonetzny commentedAttached a partial port of the patch from #10 to the latest dev.
I didn't test this enough but before someone else starts the same, I provide my work in progress here.
Class loading is reverted to the "old way", because I got ClassNotFound errors with the new version.
Comment #16
bkonetzny commentedReworked patch to include an option to have a single step or two step login form.
Comment #18
attiks commentedI think it will be easier to upload the patch without renaming the permissions. If you want to rename the permissions we need an update function and the tests needs to be adapted
Comment #19
bkonetzny commentedI will create a new issue for renaming the permissions, this seems to be more work as expected and we can fix the tests and update login in the new issue. I'll provide a modified patch later.
Comment #20
bkonetzny commentedReverted several code changes and permission naming.
Comment #21
bkonetzny commentedForgot the admin setting for two-factor auth... :/
Comment #22
bkonetzny commentedUpdating issue status back to "Needs review", will this force a test of patch from #21?
Comment #24
attiks commentedPatch looks good, can you add tests for it?
Comment #25
bkonetzny commentedWhile writing the tests, I notices that the 2-step login form behaves differently in case the code is not set and the user might set the code once. I'll fix this and provide the tests for the 2-step form.
Comment #26
attiks commented@bkonetzny thanks, this might solve #2028373-16: Bypassing GA auth vulnerability as well, but if it's too complex we can handle it separately.
Comment #27
jelle_s@bkonetzny Any progress on the patch?
Comment #28
jeff.esquivel commentedAny updates on this?
I have the need for a 2-step login page too for a project I'm working on and would gladly help finish whatever work was left unfinished (I'd rather do something that can be contributed back than to hack my own solution just for this project).
Comment #29
bkonetzny commentedI'm sorry but didn't make any progress on this.
Setting this issue to unassigned until I can continue work on this or someone else takes over.
Comment #30
kporras07 commented#21 works perfectly for me. However; I'd like to know what is missing around here for helping to get a patch that could be applied to dev version.
@bkonetzny; what is pending here?
Comment #31
bkonetzny commentedWell, according to #25 there are tests missing for this.
So current tests should still be green, but there is no test for the new behavior.