[NEW] Two Factor Auth

[rodrigok]

@RocketChat/core

Closes #1034

[rodrigok]

@rafaelks @laggedHero You guys will need to implement this.

1. It will only work with password login now
2. You will receive a new error on login {error: 'totp-required'}
3. When you receive that error you should ask user for the 2FA code
4. And submit the login again with the format:

{
	totp: {
		login: {
			user: SAME_USER_OBJECT,
			password: 'SAME_PASSWORD'
		},
		code: 'THE_CODE'
	}
}

5. You will receive {error: 'totp-invalid'} if the code is invalid

[geekgonecrazy]

It tells you to make sure you have a copy of your backup codes but there don't appear to be backup codes at this point.

We should either Generate them right away and show them in the alert telling them to store them somewhere safe... Or change the wording initially from "Regenerate Backup codes" to "Generate Backup codes" Because until they have been generated once they cannot be "Regenerated"

Also even when I click Regenerate I get no codes.

[geekgonecrazy]

Can we change this a bit? Maybe something like:

WARNING: Please make sure your mobile app supports 2FA authentication before enabling. See <a href="https://github.com/RocketChat/Rocket.Chat.iOS/issues/375">Rocket.Chat+ iOS</a> or <a href="https://github.com/RocketChat/Rocket.Chat.Android/issues/248">Rocket.Chat+ Android</a> for current status.

WARNING: Please make sure your mobile app supports 2FA authentication before enabling. See Rocket.Chat+ iOS or Rocket.Chat+ Android for current status.

Feels less critical :)

[graywolf336]

I believe this was only meant to be temporary until the mobile applications actually support it, which is why it isn't translated and is only in english.

[geekgonecrazy]

Not too worried about the translation. If for what ever reason this makes it to a release before its supported. This is much better lingo to have its less critical toward the mobile guys :)

[sampaiodiego]

@geekgonecrazy please try it clearing you .meteor/local folder (except the db).. because it shows up your backup codes, but as you can see you have i18n problems, that's why it doens't showed up to you.

if you clear your .meteor/local folder you should fix i18n problems 😉

[graywolf336]

Can we get a server up somewhere with this enabled? That way we can all test it out easily and correctly? And that way the mobile developers can test it out

[sampaiodiego]

@graywolf336 I'm trying to get it running on heroku with no success =(

was trying to dismiss review :)

[geekgonecrazy]

@sampaiodiego that was it. Works fine now. 😁

[geekgonecrazy]

@graywolf336 / @sampaiodiego https://pr-6476.rocket.chat/ 😉

[ggazzo]

The "remaining backup" codes didn't appear at the first time after enabling 2fa.

[geekgonecrazy]

Deployment updated: https://pr-6476.rocket.chat/ @ggazzo if you want to try and reproduce :)

[ulope]

The screenshots contain this warning that login on the native mobile apps will not work once 2FA is enabled. Wouldn't it be possible to accept an append the 2FA token to the password as a workaround until the apps get updated?

[graywolf336]

@rodrigok @sampaiodiego how does this work with the rest api?

[k0nsl]

I tried to enable 2FA on my production server and tested it both with Authy and Google Authenticator and neither with success; it just replies back invalid two factor code.

Sorry for the lack of details -- but I don't have anything more substantial than this at the moment.

PS: I am using version 0.55.1.

[geekgonecrazy]

@k0nsl that's no good. I'll give a try and see if I can reproduce

[sampaiodiego]

I have to say I've seen synchronization problems.. @k0nsl have sure both server and apps are synced (same date and hour)..

Maybe we should allow like 1 minute delay

[geekgonecrazy]

This should maybe be a configurable setting? Some servers in business may want to keep the time delay very short. Others may want to allow a little longer grace period

[sampaiodiego]

there you go #6859

[shakalandy]

Should this work whether LDAP authentication is enabled or not? Thanks!

[itzpraveen]

As

…

On Wed, May 3, 2017, 6:05 PM shakalandy ***@***.***> wrote: Should this work whether LDAP authentication is enabled or not? Thanks! — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#6476 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AE0YkcJ4QdffR3krFvxDI1y_0BU2_afVks5r2HR7gaJpZM4MorkB> .

[octanefilms]

Hi @sampaiodiego and @rodrigok,

I am evaluating RC. We have configured RC to our Atlassian Crowd server. This is working fine so far in our testing. I am also seeking to use 2FA which seems to not work for us for unknown reasons.

Steps

1. Deployed RC server (on-premise); server boots appears to work correctly
2. Configured Atlassian Crowd for user account management (username, password); working
3. Configured 2FA via RC admin settings from the RC desktop client (MacOS); appears to work, no errors on save.
4. Configure RC user settings for 2FA; worked and RC validated Google Authenticator 2FA sec string
5. Log out of RC MacOS desktop client.
6. Log into RC MacOS desktop client; no 2FA was required. Only username and password.
7. Log out of RC MacOS desktop client; again.
8. Log into RC web client, MacOS Chrome; no 2FA was required. Only username and password.

Questions

1. What do we need to do to get 2FA working with RC server and RC clients? How do we triage the issue? Is this caused by having RC use Crowd for user management?
2. Can we force all users to use 2FA on their RC clients (desktop and mobile) as 2FA currently seems to be "opt-in"? I saw there were some threads on this request in the RC Github...
3. Is there a method to enable the use of security keys that use the FIDO U2F standard?

Thank you for considering my comment and questions.

[geekgonecrazy]

I bet this is related to using crowd as authentication. Might be skipping 2FA code. Please open an issue with details.

Regarding Fido/U2F we don’t yet. But I personally think that would be amazing to add. Love my u2f key