Since HFS currently depends only on a primitive and weak HTTP/1.1 login system (where unless you use SSL, the password travels in clear text, encoded in Base64), I was thinking it would be nice if HFS implements a simple Two-Factor Authentication system (also known as TOTP or 2FA). This system is a time-based password algorithm (which change every 30 seconds), added on top of the current login. This way, if someone steals the user/pass, they could not get through the TOTP/2FA system (since the 2FA would prevent the access to your private account and files, even if they know the password).
- How this works on the server?The server needs to generate a secret key (only once, when setting up the 2FA), and it would store that secret key (encoded in Base32) along with the user/pass (I'm always talking about the server part). At user/client level, when TOTP is enabled on HFS, it should check if the credentials (user/pass) are correct first, and then if they are valid it should ask for the 2-Factor Authentication Code. To make this work (like I've said), HFS should store (along with the username and password) the 2FA 'secret key' needed to generate the 2FA time-based codes. The rest of the work flow (at server level) can be read
here. To end-users, I guess most of you know how the Two-Factor Authentication works, since Gmail already use it since several years (
check out this, if have any doubts).
- Implementing TOTP on HFS using a free Delphi libraryAfter a deep search, I've found a small Delphi/FreePascal/Lazarus library, that could make easy the implementation on HFS:
https://github.com/nikosdion/timecodeAnd now that
version 2.4 is on beta test (and since HFS is doing a step from v2.3 to v2.4), I think is a great time to make the server a little more secure by default. I hope Rejetto like and welcome the idea, and if anyone here could collaborate at code level to make this works on HFS, it would be great
(this is only a suggestion, not a petition to add it).
Cheers,
Leo.-