• Thanks for producing this plugin.

    I hope you don’t mind me saying, that I believe the following 3 features would make this good plugin near perfect:

    #1. Remember user has logged in successfully from a machine for 30 days if the ‘remember me’ on the login screen is ticked. In that case, require that they still enter the password, but don’t require them to enter the authenticator code. On a public terminal user doesn’t tick remember me, on their home machine they tick remember me and for 30 days they don’t have to enter the authenticator code. Settings page for system-wide enable/disable of this feature, and enable setting the number of days the cookie should last for. It might also be nice to give different machines different cookie values for a given user. Could then have the option to list the machines in the user profile page and have the ability to ‘revoke’ the remember for a specific machine.

    #2. Settings page that allows system wide ‘force’ users to enable this on next login. Could enable/disable this on a per role basis, so for example you could have admins, authors etc forced to have it but subscribers allowed to make their own choice.

    #3. Generate, for each user, a 16 character ‘backup’ code which, when can be used in place of the authenticator code during login, and emphasis the idea that this should be written down and stored in a safe place. Give you ultimate recovery should you have a problem with your phone.

    At the moment, although I love this plugin and have it installed on sites for which I am the exclusive user, it is ‘becoming tedious’ very quickly. Suggestion #1 alone would make it much more useable if, for example, it only checked the code every 10th day or so.

    Thoughts – comments – suggestions appreciated.

    And thanks again for your efforts

    https://www.ads-software.com/extend/plugins/google-authenticator/

Viewing 9 replies - 1 through 9 (of 9 total)
  • Thread Starter davelopware

    (@davelopware)

    And – another thing ?? when a users activates the authenticator feature, then I think it’s really important to do an authenticate challenge and only enable it if they can enter a valid authenticator code!

    Hi
    Regarding #3
    That’s a big no, then my plugin would in effect be a 1 factor authentication plugin.
    But what about Google and Dropbox ? That’s the way they do it.
    That’s right, but if you loose your 2. factor authentication for Google or Dropbox you’re helpless against a big company that doesn’t normally provide end-user support on the product you just lost access to, they MUST provide some way for users to get out of trouble on their own.

    As a WordPress users using my plugin you allways have the option to delete the plugin via a shell or FTP, or even create a support ticket at your hosting provider, and have your hosting provider delete the plugin.
    Or you could create a screenshot of the QR code or even write down the secret and transfer it to another phone.

    Regarding #4 : On my todo list, great idea ??

    Regarding #1 & #2 : Still thinking.

    Best regards
    Henrik Schack

    Thread Starter davelopware

    (@davelopware)

    Henrik, thanks for replying.

    In terms of #3, I agree, it results in an underlying single factor auth for everyone, which is far from ideal.

    But equally the current procedure for handling lost phone or un-installed authenticator app, drastically limits the audience for the plugin. Most of the people for whom I develop plugins are web designers or “advanced end-users” 90% of which wouldn’t be comfortable messing with this kind of workaround procedure.

    How about, a compromise. When the user has lost their phone we’re going to HAVE TO rely on their password. We could use their email as a second factor, by hooking into the password reset workflow… eg:

    When a user who is an “authenticator enabled” user does a password reset, then:

    (a) add another link in the reset email that goes out, that they can use to disable their ‘authenticator-ness’.

    You can do this by adding another parameter to the same url which already goes out in that email [ retrieve_password() in wp-login.php uses the following to generate the reset url: network_site_url(“wp-login.php?action=rp&key=$key&login=” . rawurlencode($user_login), ‘login’) ]. you could add something like &gauthdisable=1 to the end to indicate the google authenticator flag disable instruction.

    then in you could…

    (b) catch that extra parameter in action ‘login_form_rp’. replicate the checks that wp-login.php does for case ‘rp’: such as check_password_reset_key() and if it passes, then disable the 2FA. You’d have to also blank user_activation_key for that user in the database too, so that the same link can’t be used again [see wp_set_password() in pluggable.php]

    So in summary, if user’s lost their phone, they just need to do a password reset, and click the link in the email that says ‘Disable your Google Authenticator setting’. They can then log in using 1FA (which is the only factor they’ve got left).

    Thoughts?

    kind regards

    Dave Amphlett

    Thread Starter davelopware

    (@davelopware)

    forgot to say, the email contents can be tweaked by hooking into the filter ‘retrieve_password_message’

    Wouldn’t this make it somewhat easy to gain access if you already have hacked the persons mail account ?

    I would assume that if a person has lost his phone he is going to get a new one where he can setup the Google Authenticator again.

    Or he could use this Chrome extension to generate a code assuming he has a copy of the secret : https://chrome.google.com/webstore/detail/ilgcnhelpchnceeipipijaljkblbcobl?utm_source=chrome-ntp-icon

    Best regards
    Henrik Schack

    Hi,

    I like davelopware’s point on “authenticate challenge and only enable it if they can enter a valid authenticator code”.

    On point “#3. Generate, for each user, a 16 character ‘backup’ code…” I have to vote for not having this feature.

    It breaks the security model and recovery should direct to Google rather than circumvent whatever Google has set.

    I think that having a backup code (as an option, not as a requirement) would be a good idea — yes, I can edit the database and regain access to a lost account but that’s still a bit of a hassle. Not everyone wants to (or feels comfortable with) directly accessing the database and figuring out what to do.

    Since the “app password” feature is already an option, how would this be any different than simply adding another password?

    I’d like to chime in with a vote for idea #1 as well. I have a client who uses your plugin (and it works well, thanks!), but I hate having to enter the Google Authenticator code very time I log in from my home computer. It’s definitely tedious. If you can find a way to have the app remember specific computers (just as Google allows), that would be really great.

    Another strong vote for idea # 1, and a half-a-vote for idea # 2.

    Regarding idea # 2, I compare this to a forced password-reset feature. Give me, as the Admin, a way to “force” the users to cooperate with my security efforts would be great. But if I have to, I can live without this feature. (Hence, the 1/2-vote.)

    Regarding idea # 1, my home-office PC already has “several-factor authentication.” The bad guys need to get past (1) my deadbolted door, (2) my vicious dog, (3) me, and (4) my brothers — Mr. Smith and Mr. Wesson. ??

    But seriously … having to enter the authentication from a “known secure” location is a bit of a pain. As long as I can turn it on and off easily per PC (using the “remember me” tick box), I’m fine with this idea being implemented. (Again, I could live without it, but I’d really like to have it.)

    Thanks for all your great work!

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘[Plugin: Google Authenticator] Good start, but these features would make it great’ is closed to new replies.