zydronium/enigma-bbs
1
0
Fork 0
mirror of https://github.com/NuSkooler/enigma-bbs.git synced 2025-07-30 22:46:17 +02:00
Code Issues Projects Releases Packages Wiki Activity

Doc updates & minor code cleanup

Browse source
This commit is contained in:
Bryan Ashby 2019-06-15 17:19:42 -06:00
parent f02434bc23
commit b5a3c030ab
No known key found for this signature in database
GPG key ID: B49EB437951D2542
3 changed files with 42 additions and 26 deletions
Download patch file Download diff file Expand all files Collapse all files

16
docs/configuration/security.md
View file

@ -18,21 +18,23 @@ Enabling Two-Factor Authentication via One-Time-Password (2FA/OTP) on an account
:information_source: For WebSockets and the web server, ENiGMA½ _may_ listen on insecure channels if behind a secure web proxy.
### User Registration Flow
Due to the nature of 2FA/OTP, even if enabled on your system, users must opt-in and enable this feature on their account. Users must also have a valid email address such that a registration link can be sent to them. To opt-in, a process similar to the following is taken:
Due to the nature of 2FA/OTP, even if enabled on your system, users must opt-in and enable this feature on their account. Users must also have a valid email address such that a registration link can be sent to them. To opt-in, users must enable the option, which will cause the system to email them a registration link. Following the link provides the following:
1. Navigate to the 2FA/OTP configuration menu and switches the feature to enabled.
2. Selects the "flavor" of 2FA/OTP: Google Authenticator, TOTP, or HOTP.
3. Confirms settings by saving.
After saving, a registration link will be mailed to the user. Clicking the link provides the following:
1. A secret for manual entry into a OTP device.
2. If applicable, a scannable QR code for easy device entry (e.g. Google Authenticator)
3. A confirmation prompt in which the user must enter a OTP code. If entered correctly, this validates everything is set up properly and 2FA/OTP will be enabled for the account. Future logins will now prompt the user for their OTP after they enter their standard password.
3. A confirmation prompt in which the user must enter a OTP code. If entered correctly, this validates everything is set up properly and 2FA/OTP will be enabled for the account. Backup codes will also be provided at this time. Future logins will now prompt the user for their OTP after they enter their standard password.
:warning: Serving 2FA/OTP registration links over insecure (HTTP) can expose secrets intended for the user and is **highly** discouraged!
:information_source: +ops can also manually enable or disable 2FA/OTP for a user using [oputil](/docs/admin/oputil.md), but this is generally discouraged.
#### Recovery
In the situation that a user loses their 2FA/OTP device (such as a lost phone with Google Auth), there are some options:
* Utilize one of their backup codes.
* Contact the SysOp.
:warning: There is no way for a user to disable 2FA/OTP without first fully logging in! This is by design as a security measure.
### ACS Checks
Various places throughout the system that implement [ACS](/docs/configuration/acs.md) can make 2FA specific checks:
* `AR#`: Current users **required** authentication factor. `AR2` for example means 2FA/OTP is required for this user.