rejetto forum

Adding Two-Factor Authentication (2FA) to HFS

0 Members and 1 Guest are viewing this topic.

Offline LeoNeeson

  • Tireless poster
  • ****
    • Posts: 859
  • Status: On hiatus       (sporadically here)
    • View Profile
    • twitter.com/LeoNeeson
Since HFS currently depends only on a primitive and weak HTTP/1.1 login system (where unless you use SSL, the password travels in clear text, encoded in Base64), I was thinking it would be nice if HFS implements a simple Two-Factor Authentication system (also known as TOTP or 2FA). This system is a time-based password algorithm (which change every 30 seconds), added on top of the current login. This way, if someone steals the user/pass, they could not get through the TOTP/2FA system (since the 2FA would prevent the access to your private account and files, even if they know the password).

- How this works on the server?
The server needs to generate a secret key (only once, when setting up the 2FA), and it would store that secret key (encoded in Base32) along with the user/pass (I'm always talking about the server part). At user/client level, when TOTP is enabled on HFS, it should check if the credentials (user/pass) are correct first, and then if they are valid it should ask for the 2-Factor Authentication Code. To make this work (like I've said), HFS should store (along with the username and password) the 2FA 'secret key' needed to generate the 2FA time-based codes. The rest of the work flow (at server level) can be read here. To end-users, I guess most of you know how the Two-Factor Authentication works, since Gmail already use it since several years (check out this, if have any doubts).

- Implementing TOTP on HFS using a free Delphi library
After a deep search, I've found a small Delphi/FreePascal/Lazarus library, that could make easy the implementation on HFS: https://github.com/nikosdion/timecode

And now that version 2.4 is on beta test (and since HFS is doing a step from v2.3 to v2.4), I think is a great time to make the server a little more secure by default. I hope Rejetto like and welcome the idea, and if anyone here could collaborate at code level to make this works on HFS, it would be great :) (this is only a suggestion, not a petition to add it).

Cheers,
Leo.-
HFS in Spanish (HFS en Español) / How to compile HFS (Tutorial)
» Currently taking a break, until HFS v2.4 get his stable version.