Two-Factor authentication in ID Dashboard

One of the ideas I have been tossing around is Two-factor authentication within Open MRS ID

I want to start a dialogue to see if people would support this. I would implement this within OpenMRS ID.

Would that be a feature that everybody would like? Is it a wasted effort? Would this make a good Google Summer of Code Project that I could mentor?

Opinions?

That sounds great! The two factor implementations I like are the ones that give you multiple choices, such as using Goggle Authenticator, YubiKey, SMS, etc… I think this gives the greatest chance that people will actually use it. Although I would start with one implementation and work from there to start out.

1 Like

There has to be a node library that exists that works with all of them universally…

Keep in mind our user base often does not have access to USA SMS capability, smartphones, or hardware tokens. My guess is that this will not be used very widely.

2 Likes

Even if it’s used by a few users…it’s a feature that is good from a security standpoint…I have this sneaky feeling that it’s probably not difficult to implement…

http://passportjs.org/ is a general-purpose authentication library that I think would work great in the dashboard. (@plypy and I are already using it for the profile data API) There are two-factor plugins for it. Passport would also simplify the ability for us to allow OAuth sign ins from Github, Google, Facebook.

OpenMRS ID must sync with LDAP to allow Confluence, JIRA, and other Atlassian apps to integrate. Unfortunately, as far as I know OpenLDAP has no way to do two-factor authentication in a way that wouldn’t interfere with application that expect a traditional single-factor login.

Acknowledging that, what would you think about implementing two-factor and use it only in places where the ID Dashboard can control authentication (OpenMRS ID account settings, Modulus, Talk, etc.)

1 Like

Hi, @r0bby. I’m the one that participated the GSoC 2014 and built the Dashboard 2.0 with @elliott.

First, all features come with needs, we currently don’t store any information that needs strong security protection.

And like Elliott said, the Dashboard is only a bridge to connect our Crowd-based services, like Jira, Confluence, etc, with other services, like Talk. The Crowd-based services will perform authentication based on OpenLDAP which holds a copy of the data of users. This procedure is rather independent to the Dashboard, and you need to explore the Crowd besides from the node.

The most important thing is, we need a stable SMS service that could send messages globally. I’m Chinese, from my personal experience, sometimes even SMS from big companies like Google or GitHub will lost their direction.

Moreover, I think, this single feature definitely won’t fit a 10+ weeks project.

Does anyone know any good providers?

What about Twillio?

1 Like

I don’t have any direct experience with Twilio but they are respected and do have quite a few countries for receiving SMS.

It is super easy to use…I’d be willing to implement such a feature been dying to use it

2 Likes

As long as we also support OTPs from Authy, Google Authenticator, Yubikey, etc. I agree that SMS over Twilio would be fun to implement :slight_smile: The software-based OTP factors would also be a way to authenticate in countries without strong SMS support.

It’s clearly not the same topic, but I’m getting it in here in case someone else is interested.

Talking about authenticators, one thing that would help me a lot would be being able to interact with Modulus using Bamboo:

The REST api is very well defined, but I cannot make an automatic request. Having a bot account would allow me to configure release builds to upload released Modulus.

This would be the earliest project implemented then :smiley:

Nonsense! That should be easy enough – though I may be stacking my todo list a bit high

The current process is releasing to maven from Bamboo (clicking a button on CI), download the file, rename it, login to Modulus and upload there. I want all this to be automatic from CI for existent modules (new ones would need more info). It would be another deployment from Bamboo.

I’m used to call rest apis with curl from CI, so I want that feature really bad.

Is there a ‘devops-ing’ badge yet? :wink:

1 Like

Yeah there should be a way…where you pass the omod as a Base64 encoded string…

The URL, I’d say. The omod is already in nexus, it’s public. Actually, any URL without auth should do it.

It was a long time ago, but I think I actually saw the REST endpoint which would receive it, and there was a way a passing the URL of the file. Maybe I’m just dreaming :stuck_out_tongue:

I’m sure it’s easy to implement :slight_smile: