Allow U2F 2FA without TOTP #11573
Allow U2F 2FA without TOTP #11573
Conversation
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment has been hidden.
This comment has been hidden.
This comment has been hidden.
This comment has been hidden.
|
IMHO We should enforce totp since u2f is currently only supported in a few browsers. |
|
Why unconditionally load the JS? Can we not gate it behind some variable that only loads it on pages where it's needed? As it's right now it will load on every single page which I find quite bad. |
|
@jonasfranz It's not possible to set up U2F in a non-supporting browser in the first place. |
|
@silverwind If I understand correctly, currently the U2F js would also load on every page, as long as the user is enrolled in TOTP. The core issue seems to be that the loading of that file happens in the footer template. To address this, I'd move the loading to |
|
what to do with the API since there is no auth for U2F there, so at least we should put a hint if U2F is enabled without TOTP, to interact with the API the user has to create a token itself |
|
Hmm, I didn't think about the API. Back to the drawing board. |
|
@kdomanski I think its fine we just have to inform the user ... |
|
Thx for cc'ing, but I cannot review this PR as I don't know the technologies involved (Go etc.). That said, if it fixes #5410 as stated there, I'm happy the change get's into gitea. |
|
Updated tests which were setting U2F on root user without enabling TOTP. |
|
@6543 Is it possible to use the API with login/password and TOTP? I couldn't find anything in the docs. I could add a hint in the body of the API unauthorized response, but it seems like it's orthogonal to this PR and belongs in another one. |
|
I would ad no hit to api 403 responce and yes we should add add this to swagger docs #11667 (a other pull) |
|
but when adding a U2F key without an existing TOTP a hint on the UI could warn about API and account recovery etc ... |
|
@kdomanski Many users are using multiple devices. I think we should require TOTP by default and make a configuration option to disable this requirement. |
|
+1 to @jonasfranz's suggestion. From a security perspective the best practice on the user's side is to have two or more U2F devices, so that one can serve as a backup if the other is lost. |
|
Then we would gain nothing, if you want a config, do the reverse: enable a config that requires TOTP before U2F. We want U2F without TOTP. By default. |
|
Added a warning box that only appears when there's no TOTP enrollment. |
|
@rugk imho github also allow u2f only if you have topt enrolled |
|
Google also allows TOTP to be disabled. In fact, Google offers a mode for its high-risk users in which an account cannot be configured with TOTP, SMS, or other alternate forms of authentication. (Turning this mode off incurs a mandatory delay of several weeks, and may incur a requirement to present legal identification.) |
|
Aside from TOTP warning comment above I would also add additional warning whenever user has less than 2 U2F keys (second key as backup in case first is lost or breaks). |
|
since now a admin can reset 2FA it's less concerning that user can loose access to it's account |
kdomanski
force-pushed
the
independent-u2f
branch
2 times, most recently
from
3399a9c
to
94cf08c
|
Why was this closed? |
Apologies for the late review. I've updated this to head and I think this is now ready
Signed-off-by: Andrew Thornton <[email protected]>
|
|
This change enables the usage of U2F without being forced to enroll an TOTP authenticator.
The
/user/auth/u2fhas been changed to hide the "use TOTP instead" bar if TOTP is not enrolled.Fixes #5410
Fixes #17495
The text was updated successfully, but these errors were encountered: