rejetto forum

Software => HFS ~ HTTP File Server => Programmers corner => Topic started by: LeoNeeson on September 23, 2018, 01:16:24 AM

Title: Adding Two-Factor Authentication (2FA) to HFS
Post by: LeoNeeson on September 23, 2018, 01:16:24 AM
Since HFS currently depends only on a primitive and weak HTTP/1.1 login system (where unless you use SSL, the password travels in clear text, encoded in Base64), I was thinking it would be nice if HFS implements a simple Two-Factor Authentication system (also known as TOTP or 2FA). This system is a time-based password algorithm (which change every 30 seconds), added on top of the current login. This way, if someone steals the user/pass, they could not get through the TOTP/2FA system (since the 2FA would prevent the access to your private account and files, even if they know the password).

- How this works on the server?
The server needs to generate a secret key (only once, when setting up the 2FA), and it would store that secret key (encoded in Base32) along with the user/pass (I'm always talking about the server part). At user/client level, when TOTP is enabled on HFS, it should check if the credentials (user/pass) are correct first, and then if they are valid it should ask for the 2-Factor Authentication Code. To make this work (like I've said), HFS should store (along with the username and password) the 2FA 'secret key' needed to generate the 2FA time-based codes. The rest of the work flow (at server level) can be read here (https://techblog.bozho.net/enabling-two-factor-authentication-web-application/). To end-users, I guess most of you know how the Two-Factor Authentication works, since Gmail already use it since several years (check out this (https://www.turnon2fa.com/#what-is), if have any doubts).

- Implementing TOTP on HFS using a free Delphi library
After a deep search, I've found a small Delphi/FreePascal/Lazarus library, that could make easy the implementation on HFS: https://github.com/nikosdion/timecode

And now that version 2.4 (http://rejetto.com/forum/index.php?topic=13060.0) is on beta test (and since HFS is doing a step from v2.3 to v2.4), I think is a great time to make the server a little more secure by default. I hope Rejetto like and welcome the idea, and if anyone here could collaborate at code level to make this works on HFS, it would be great :) (this is only a suggestion, not a petition to add it).

Cheers,
Leo.-
Title: Re: Adding Two-Factor Authentication (2FA) to HFS
Post by: bmartino1 on September 23, 2018, 06:34:27 AM
Thumbs up

html and Javascript implement example:

https://www.codeproject.com/Articles/513774/Two-Factor-Authentication-with-JavaScript-and-HTML