RT 4.4.3 web login with MFA

Hi All

Are there any plugins or extensions that would make it possible to use google authenticator app or similar mechanism as part of the Web UI login process?

I am not talking about SSO via google, just use of a MFA

We protect our RT instance using SAML2 using mod_shib on the SP (RT server) and simpleSAMLphp on the IdP end, with Duo MFA included as part of the IdP config. That works OK, and a bit of hacking on the Duo module for simpleSAMLphp lets us decide when to enforce MFA (eg always for admins, don’t bother on some trusted networks, etc).

Probably a bit more heavy duty than you’re after, but then we already have the IdP infrastructure in place for hundreds of other services beyond RT. But the basic principle might be useful: don’t look for MFA modules for RT but modules for your web server.

My use cases is that I want to stand-up RT for a not-for-profit staffed by volunteers. They will need to access the system remotely via the web interface and a 2FA/MFA such as the google authenticator app would be perfect to prevent credential theft and abuse.

The organization does not have any infrastructure to speak of, so the simpler the solution is the better.

I am unsurprised if a little disappointed to see that we do not have such a plugin, while the are available for both Drupal and Wordpress.

I suspect I will need to have a look at the code and see if we can hack something in easily enough, or if it will be an ongoing pain to support.

Rather than recreating the wheel (which often isn’t a good idea for a lone installation where security is involved) have you looked for web server modules to do the MFA for you with Google Authenticator? For example this project for Google authenticator might be of interest if that’s what you’re using as a web server. RT doesn’t need to be involved with the MFA if the webserver can do all the authentication stuff for you.

I do not agree with the notion that the token based authentication belongs in the web server, while the user authentication is done in the application and is done separately. Second factor is an attribute of the application user, not of the web server user. After all you need to verify the username, password and second factor at the same time.

Second factor must be tied to a user, and the secret seed for that needs to be held somewhere. If it is not held in the application database, in a way that lets you tie it to a user, then where do you propose it be held?

There are CPAN modules that implement the google TOTP checks, and google has tools to generate the QR codes, etc. so I think I will give it bash and see what I can make work .

In your LDAP directory, where you can then use it for multiple applications, rather than tying yourself to one application specific database. But you do as you see fit - don’t let me stop you! Have fun!

I do not have an LDAP. That is the whole point! I need RT to be self contained .

This most likely isn’t the solution but if everyone is using Gmail emails to auth into RT maybe you could use OAUTH2 through Gmail and have all the privileged users enable two factor auth for their Gmail accounts?

OAUTH2 to Google would be an SSO type solution - which is a good solution if everyone involved had Gmail accounts. Sadly, they do not.

We have enough trouble with getting people to accept longer 10 or 12 character passwords… let alone getting a group of non-technical background voulnteers to create extra Gmail accounts with 2FA.

Google authentication phone app that provides access to Google time based OTP (TOTP) implementation and service is not dependent on you having a Google or Gmail account. In fact you can use it for any number of sites that support 2FA… like, PayPal for example… or admin login to some of the WordPress and Drupal based sites I support.

I was hoping someone had solved this problem before, but it looks like its not been done … :frowning:

In the short term I will probably set very aggressive fail2ban policies on failed RT web logins and go with that, while we work out how to do this TOTP thing, and if it is even possible or worth the effort.