General > Developers Corner

2FA Authentication for Garry's Mod

<< < (2/3) > >>

iViscosity:
Seems that didn't fix it... I changed it to #s but I still get the error. It's the same error.


Also, is there a way to restrict the number of characters in the string for the PIN, as I want it to be no more or less than 6.

Bytewave:
Protip, iViscosity: Don't echo the pins to everyone, even if it's a silent echo. Also, you may want to look into hashing the pins before storing them, and you should probably not let other users set pins.

Also, perhaps you should take a look at TOTP-based authentication (a bit more complicated, but doable in Lua if you can find a spec). Then, pins will change automatically on 30-second intervals, and require a second factor (phone, etc) for authentication.

Here's a TOTP library I found. Might be worth looking into.
Here's a QR code library as well, which would be useful for generating a QR code for the URI given by luaotp. You could have users type their secret in manually, but that's inconvenient. Plus, luaqrcode seems to just output a 2D array with 1s and 0s representing black and white cells, perfect for doing whatever with.

iViscosity:

--- Quote from: Bytewave on October 18, 2016, 03:53:36 PM ---Protip, iViscosity: Don't echo the pins to everyone, even if it's a silent echo. Also, you may want to look into hashing the pins before storing them, and you should probably not let other users set pins.
--- End quote ---

Huh, I thought using fancyLog( { something in here } ... ) would only echo to the "something in here", am I wrong?


--- Quote from: Bytewave on October 18, 2016, 03:53:36 PM ---Also, perhaps you should take a look at TOTP-based authentication (a bit more complicated, but doable in Lua if you can find a spec). Then, pins will change automatically on 30-second intervals, and require a second factor (phone, etc) for authentication.
Here's a TOTP library I found. Might be worth looking into.
Here's a QR code library as well, which would be useful for generating a QR code for the URI given by luaotp. You could have users type their secret in manually, but that's inconvenient. Plus, luaqrcode seems to just output a 2D array with 1s and 0s representing black and white cells, perfect for doing whatever with.

--- End quote ---
I thought about this, but I've no idea where I could store it. On a related note, if it were to store/change, where could those users access it?

Bytewave:

--- Quote from: iViscosity on October 18, 2016, 04:03:47 PM ---Huh, I thought using fancyLog( { something in here } ... ) would only echo to the "something in here", am I wrong?

--- End quote ---
Well, if anything, it stores it in the serverside logs, so those could be pulled by someone attacking the server. But if your server gets hacked that badly, you have bigger problems. So I suppose it's less of an issue.


--- Quote from: iViscosity on October 18, 2016, 04:03:47 PM ---I thought about this, but I've no idea where I could store it. On a related note, if it were to store/change, where could those users access it?

--- End quote ---
Store the secret in plaintext, like in pdata. The QR code needs to only be shown once, then never again once you verify the TOTP app was set up properly.
You should never need to change the TOTP secret unless an account is compromised, in which case you should probably have a re-generate button or command of some sort available for other admins to run.

My suggestion for the TOTP flow:

* Staff member joins server
* If no TOTP secret in database, generate one and show a popup with a QR code and a code box, preferably with some instructions on how to set up TOTP with an app
* If TOTP key, show a simple code box
* Once code is verified, add user to staff rank
Again, if an account is compromised, you could have a command to invalidate (unset) the TOTP secret in your database, which causes the user to go through the first time setup again.

iViscosity:
Sounds interesting enough... I could try and give it a shot.

I have a couple questions, though. If it shows a QR code and say they scan it with their phone, how would they be able to access it? Say if they used Google Authenticator, how can I set up a system with gmod to have the key match the key in that app to work? I'm pretty sure I can't set PData of a Steam ID (could be wrong) but even if I could, I'd need to set the PData to the same get as in the Authenticator, correct? If that's the case, my other questions stands, how can I get them to match?

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version