Google Authenticator Multi-part (TOTP) login implementation for CakePHP

StackOverflow https://stackoverflow.com/questions/11856040

Вопрос

I am looking to implement Google Authenticator into a CakePHP application. The trick is that a user can determine whether or not they want to use it. This means that if a user is using the multi-part login, they will log in normally with their username and password. Once they have successfully submitted their correct username / password combination, they need to be redirected to the page that asks for their passcode from Google Authenticator.

How do you limit the Authentication success until AFTER they enter the passcode? I can do the redirect and everything just fine, but if they exit the passcode form and go to the site, they have already authenticated using their username / password and they can navigate through the site just fine.

I need some direction on how to shut down authentication until AFTER the passcode confirmation is successful. Any ideas?

Это было полезно?

Решение

I noticed this question is pretty old and unanswered, I also work on something similar so I'll share my two cents. Hope you've already solved this problem by now.

Your user management system should provide a session key only after the entire login process was fulfilled, this means that you should let users in only after they provide all auth data through all steps.

  1. receive user and password
  2. check credentials and authentication options
  3. if credentials are ok and no Google Auth enabled, give him session key, else retry
  4. if credetials are ok and Google Auth enabled, pass $_POST['user'] to challenge form
  5. if TOTP password matches server-side check, return session key, else retry
$_POST[] ----> loginCheck() ----> if(GAuth) ----> checkTotp() ----> sessionKey
                                      |                                 |
                                      *---------------------------------*

loginCheck() should check if user and passwords are ok, otherwise deny access

if(GAuth) should return true or false, depeding if your user uses GAuth

checkTotp should be a method to check TOTP password on client and server

sessionKey should be the token used to access protected content, stored server-side and client-side for a period of time

Or adapt this idea to your needs ... in my opinion you should accept the user in the system when he passes all authentication trials.

You could make an user form that hols user/password and passcode and process all data at once and avoid two pages.

Read more about https://tools.ietf.org/html/rfc6238

Лицензировано под: CC-BY-SA с атрибуция
Не связан с StackOverflow
scroll top