Hi,

I can not think of a way how to get this to work with the drupal permission system and I don't have an actual case I would need this but how about the option to let "normal" users login without 2-factor auth but make it mandatory for users with higher permissions. The thing that get's in the way is the inheritance of permissions.

The point is that accounts with higher privileges should be more secure - now it's the other way round. Don't get me wrong I think I understand the intention and I really think "superadministrators" should be able to turn off 2-factor for their accounts because they hopefully know how to secure their account but I think of moderators or similar roles whose accounts should be secured because an attacker could do more harm with their accounts but I don't want any user dropping by for 1 or 2 comments have to deal with 2-factor auth.

Maybe it could be done by a new permission "Can use ga_login". I wouldn't mind if "normal" users couldn't use 2-factor auth at all and only administrators/moderators could use it at all.

Please see this as a nice to have or some random input not an actual feature request.

Comments

patoshi’s picture

Yes this is an issue for me aswell. I only want moderators to be able to use 2 step authentication. now my customers are required to set this up when logging in, which is very cumbersome for a retail oriented site.

The permission should be changed to "LOGIN WITH CODE" instead of "LOGIN WITHOUT CODE" so this will work with other roles and goes around the drupal permissions system.

attiks’s picture

There's a permission 'Login without code' to bypass the ga_login, we can add a new permisson 'Has to login with a code' so you can enforce this?

PS: For uid 1 we already have the account option 'Protect my account with two-factor-authentication'

patoshi’s picture

yes that would be a good idea.

Anonymous’s picture

@#2 I think that doesn't work. I enable 'Login without GA' for all user roles, then select for uid 1 "protect my account".

But then I cannot access this page: /user/1/ga_login
It just shows the user profile page, with no options to add GA.

attiks’s picture

#4 I just tried it again, and it should work, can you try clearing your cache?

The tab should always be visible for uid 1

Anonymous’s picture

Ok it works, I forgot the configuration settings "force uid 1", I was looking at my user/1/edit page.

The issue I have is that anonymous users should not see the 'code' box. I would like to see a 2-step login page, like first login, then redirect to "enter your GA code".

attiks’s picture

Title: Make 2-factor optional for normal user but mandatory for roles with more privileges » I would like to see a 2-step login page
Priority: Minor » Normal

Re-titling to reflect #6, patches are welcomed since I don't have any time to work on this.

ben coleman’s picture

The original title pretty much expresses what I'm looking for. And the additional page for entering the GA code seems to be pretty much standard for other sites implementing GA. If I get time I'll look at doing a patch, but don't depend on it.

attiks’s picture

Status: Active » Needs work

#8 Any chance for a patch, so we can add this to the new release?

wiifm’s picture

Issue summary: View changes
Status: Needs work » Needs review
StatusFileSize
new24.08 KB

Alright, we have a pressing client need to implement two factor authentication but only for certain administrators (leaving the general public to not use this).

As the module presently stands, it is impossible to implement this functionality as the code is right there on the user login screen. This is causing side issues like the ones found in #2161125: Ga_login $account check assumes username is valid, displays errors if not.

I have re-written a large chunk of the module, here are some key changes:

  • Use element_validate_integer_positive() rather than custom code
  • Namespacing the permissions as they were likely to clash with other modules
  • Using hook_form_FORM_ID_alter() rather than hook_form_alter() - this is a performance issue as the later hook runs on every form
  • Refactored the login process to validate username and password first, before the google login code on a seperate screen (only if needed)
  • If the user is required to have a Google login code and has not created one, then they are logged in and can do that in their user profile (as per normal)
  • Remove module qr_codes as there is no Drupal 7 release
  • Utilise Drupal 7's autoloading functionality and removed a lot of module_load_include() calls

As this is such a fundamental change, I am after feedback from both the module maintainers and anyone interested in this functionality. If no module maintainer responds I will bump this to the webmasters queue ;)

attiks’s picture

#10 Great work, some remarks, questions

  1. +++ b/ga_login.module
    @@ -53,33 +53,33 @@ function ga_login_create_access($target_account, $account = NULL) {
    +    $access = user_access('create own ga_login code', $account) || user_access('create others ga_login codes', $account);
    

    you renamed the permissions, so we need an update function

  2. +++ b/ga_login.module
    @@ -533,61 +515,144 @@ function ga_login_test_form_submit($form, $form_state) {
    + * Helper function for altering the login forms.
    

    Can we make so that an admin can choose to use 1 form or not?

attiks’s picture

Just a heads up that this patch will probably needs to be re-rolled since I committed some other patches, and we need an update function to rename the permissions and I would love to see an option to switch between single page or multi page form.

attiks’s picture

I cherry picked some parts of the patch and created #2208195: use hook_form_FORM_ID_alter

attiks’s picture

Status: Needs review » Needs work

Back to NW for the two-step form

bkonetzny’s picture

StatusFileSize
new13.55 KB

Attached a partial port of the patch from #10 to the latest dev.
I didn't test this enough but before someone else starts the same, I provide my work in progress here.
Class loading is reverted to the "old way", because I got ClassNotFound errors with the new version.

bkonetzny’s picture

Status: Needs work » Needs review
StatusFileSize
new14.07 KB

Reworked patch to include an option to have a single step or two step login form.

Status: Needs review » Needs work

The last submitted patch, 16: 1834290-16-ga_login_2_step_refactor.patch, failed testing.

attiks’s picture

I think it will be easier to upload the patch without renaming the permissions. If you want to rename the permissions we need an update function and the tests needs to be adapted

bkonetzny’s picture

I will create a new issue for renaming the permissions, this seems to be more work as expected and we can fix the tests and update login in the new issue. I'll provide a modified patch later.

bkonetzny’s picture

StatusFileSize
new7.94 KB

Reverted several code changes and permission naming.

bkonetzny’s picture

StatusFileSize
new8.54 KB

Forgot the admin setting for two-factor auth... :/

bkonetzny’s picture

Status: Needs work » Needs review

Updating issue status back to "Needs review", will this force a test of patch from #21?

The last submitted patch, 10: 1834290-ga_login_2_step_refactor.patch, failed testing.

attiks’s picture

Patch looks good, can you add tests for it?

bkonetzny’s picture

Assigned: Unassigned » bkonetzny
Status: Needs review » Needs work

While writing the tests, I notices that the 2-step login form behaves differently in case the code is not set and the user might set the code once. I'll fix this and provide the tests for the 2-step form.

attiks’s picture

@bkonetzny thanks, this might solve #2028373-16: Bypassing GA auth vulnerability as well, but if it's too complex we can handle it separately.

jelle_s’s picture

@bkonetzny Any progress on the patch?

jeff.esquivel’s picture

Any updates on this?

I have the need for a 2-step login page too for a project I'm working on and would gladly help finish whatever work was left unfinished (I'd rather do something that can be contributed back than to hack my own solution just for this project).

bkonetzny’s picture

Assigned: bkonetzny » Unassigned

I'm sorry but didn't make any progress on this.
Setting this issue to unassigned until I can continue work on this or someone else takes over.

kporras07’s picture

#21 works perfectly for me. However; I'd like to know what is missing around here for helping to get a patch that could be applied to dev version.
@bkonetzny; what is pending here?

bkonetzny’s picture

Well, according to #25 there are tests missing for this.
So current tests should still be green, but there is no test for the new behavior.