Two-Factor authentication (TOTP)#3712
Conversation
|
closes #352 |
|
closes #1547 |
|
closes #1270 |
|
I'm not a maintainer nor a reviewer so I'm not sure this is the best place to ask this, but would it be possible to display the "textual" code below the QR code? This is useful when you can't scan the QR code, for example when your TOTP application is directly on your computer. (Edit: typo) |
|
Do we know if we are going to see this merge in the near future ? This would be a great feature to see deployed. As more and more security requirement ask for 2FA on auth provider. |
|
@sambonbonne good addition, thanks! |
|
@nabokihms Is there a way to fund the work in this PR? |
|
Nice feature to have indeed. Have you considered supporting slapo-otp(5) when you started the project? |
|
Hi, is TOTP still planned for this year? My team would like to use this amazing feature with local connectors. 🙏 A small update: I've taken a look at the PR and noticed that |
|
Would love to see this one merged as we are planning to integrate Dex in NetBird. |
|
Super cool feature right here. Any chances of merging? Thanks! |
|
For all waiting the feature. We are working now on the proposal, which will make this PR be merged in the future. You can see the progress here #4560 |
nabokihms
force-pushed
the
totp
branch
3 times, most recently
from
9b25021 to
bfb0ddc
Compare
sagikazarmark
left a comment
sagikazarmark
left a comment
There was a problem hiding this comment.
I had some comments, but it probably needs a closer look to see if they are valid, hence just comments.
| <p>Enter the code from your authenticator app.</p> | ||
| <p class="theme-heading">{{ .Issuer }}</p> | ||
| {{ end }} | ||
| <form method="post" action="{{ .PostURL }}"> |
There was a problem hiding this comment.
I know we don't do that in other places, but this is a security sensitive form that would probably benefit from CSRF.
There was a problem hiding this comment.
There is a kind of CSRF protection using HMAC. It's generated server-side with a secret key and validated on submission, so a forged request from an external origin would fail verification. Same principle as a synchronizer token, just delivered via the URL rather than a hidden form field.
We use it all over critical forms. I can open an issue to add a different CSRF mechanism, but not in the scope of this PR.
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
|
No API to recover mfa and no recovery codes for now, but I still think it is ok to be merged now. We will add the API later. |
11 participants
Overview
This pull request implements multi-factor authentication (MFA) support in Dex with an extensible architecture designed for future authenticator types (WebAuthn, etc.).
MFA secrets are stored in UserIdentity objects. Authenticators are defined globally and referenced by clients via mfaChain. A server-wide
defaultMFAChainapplies to clients without explicit configuration. Authenticators can be scoped to specific connector types (e.g., LDAP, local) to avoid redundancy with providers that have built-in MFA.Upon first login, users enroll by scanning a QR code; subsequent logins require a TOTP code. The feature requires the
DEX_SESSIONS_ENABLED=truefeature flag.Example configuration:
Per-client override:
What this PR does / why we need it
Enhancing Dex with 2FA adds an additional layer of security, making unauthorized access significantly more difficult. This is particularly valuable for connectors like LDAP and local connectors that do not inherently support 2FA. By implementing 2FA, we align Dex with industry best practices for identity management, meet higher security compliance requirements, and ensure better protection for user data, thereby building greater trust with our users.
Special notes for your reviewer