Project

General

Profile

Actions

Feature #12900

closed

Two-factor authentication

Added by Boone Gorges over 4 years ago. Updated almost 4 years ago.

Status:
Resolved
Priority name:
Normal
Assignee:
Category name:
Security
Target version:
Start date:
2020-06-05
Due date:
% Done:

0%

Estimated time:
Deployment actions:

Description

Two-factor authentication makes logins more secure by ensuring that a stolen password is insufficient for account access. We should explore implementing it on the Commons.

2FA usually takes one of the following forms:
1. A dedicated 2FA physical token device
2. A 2FA smartphone app (Google Authenticator, Duo, etc)
3. SMS

These are ordered from most-secure to least-secure. 2 is probably a good compromise between ease-of-use and security, and there are ready-made tools for it. See eg https://wordpress.org/plugins/two-factor/, which is built by a number of noted security folks in the WordPress sphere.

Some considerations:
- We'd likely want to make 2FA optional but recommended.
- Introducing 2FA is likely to increase support request somewhat, especially if users lose access to their 2FA device. Before launch, we should have protocols and support boilerplate in place for resets.
- We'd need integration into registration as well as user settings. The existing plugins do this in the WP dashboard, but we may want to move it into the front-end to integrate with existing registration and password-reset tools.
- We'll need Help documentation.

Do others have thoughts about this project before we move forward with some technical discovery?

Ray, I'm tentatively assigning you to take the lead on implementation, though I'm happy to work together on it.


Files

bp-2fa.png (25 KB) bp-2fa.png Raymond Hoh, 2020-09-01 11:51 PM
bp-2fa-2.png (36.9 KB) bp-2fa-2.png Raymond Hoh, 2020-10-30 02:54 PM
bp-2fa-security-keys.gif (92.9 KB) bp-2fa-security-keys.gif Raymond Hoh, 2020-10-30 02:54 PM
Screen Shot 2020-11-03 at 9.15.07 AM.png (86.5 KB) Screen Shot 2020-11-03 at 9.15.07 AM.png Interface once a key has been added under My Settings Jeremy Felt, 2020-11-03 12:24 PM
Screen Shot 2020-11-03 at 9.17.11 AM.png (229 KB) Screen Shot 2020-11-03 at 9.17.11 AM.png Message on wp-login.php that did not appear to receive the key's signal Jeremy Felt, 2020-11-03 12:24 PM
Screen Shot 2020-11-03 at 9.23.04 AM.png (279 KB) Screen Shot 2020-11-03 at 9.23.04 AM.png Console errors on wp-login (that may not be related) Jeremy Felt, 2020-11-03 12:24 PM
enabled-primary-behavior.mov (8.85 MB) enabled-primary-behavior.mov Colin McDonald, 2020-11-24 12:24 PM
Actions

Also available in: Atom PDF