[Plugin: Google Authenticator] Good start, but these features would make it great

And – another thing ?? when a users activates the authenticator feature, then I think it’s really important to do an authenticate challenge and only enable it if they can enter a valid authenticator code!

Hi
Regarding #3
That’s a big no, then my plugin would in effect be a 1 factor authentication plugin.
But what about Google and Dropbox ? That’s the way they do it.
That’s right, but if you loose your 2. factor authentication for Google or Dropbox you’re helpless against a big company that doesn’t normally provide end-user support on the product you just lost access to, they MUST provide some way for users to get out of trouble on their own.

As a WordPress users using my plugin you allways have the option to delete the plugin via a shell or FTP, or even create a support ticket at your hosting provider, and have your hosting provider delete the plugin.
Or you could create a screenshot of the QR code or even write down the secret and transfer it to another phone.

Regarding #4 : On my todo list, great idea ??

Regarding #1 & #2 : Still thinking.

Best regards
Henrik Schack

Henrik, thanks for replying.

In terms of #3, I agree, it results in an underlying single factor auth for everyone, which is far from ideal.

But equally the current procedure for handling lost phone or un-installed authenticator app, drastically limits the audience for the plugin. Most of the people for whom I develop plugins are web designers or “advanced end-users” 90% of which wouldn’t be comfortable messing with this kind of workaround procedure.

How about, a compromise. When the user has lost their phone we’re going to HAVE TO rely on their password. We could use their email as a second factor, by hooking into the password reset workflow… eg:

When a user who is an “authenticator enabled” user does a password reset, then:

(a) add another link in the reset email that goes out, that they can use to disable their ‘authenticator-ness’.

You can do this by adding another parameter to the same url which already goes out in that email [ retrieve_password() in wp-login.php uses the following to generate the reset url: network_site_url(“wp-login.php?action=rp&key=$key&login=” . rawurlencode($user_login), ‘login’) ]. you could add something like &gauthdisable=1 to the end to indicate the google authenticator flag disable instruction.

then in you could…

(b) catch that extra parameter in action ‘login_form_rp’. replicate the checks that wp-login.php does for case ‘rp’: such as check_password_reset_key() and if it passes, then disable the 2FA. You’d have to also blank user_activation_key for that user in the database too, so that the same link can’t be used again [see wp_set_password() in pluggable.php]

So in summary, if user’s lost their phone, they just need to do a password reset, and click the link in the email that says ‘Disable your Google Authenticator setting’. They can then log in using 1FA (which is the only factor they’ve got left).

Thoughts?

kind regards

Dave Amphlett

forgot to say, the email contents can be tweaked by hooking into the filter ‘retrieve_password_message’

Wouldn’t this make it somewhat easy to gain access if you already have hacked the persons mail account ?

I would assume that if a person has lost his phone he is going to get a new one where he can setup the Google Authenticator again.

Or he could use this Chrome extension to generate a code assuming he has a copy of the secret : https://chrome.google.com/webstore/detail/ilgcnhelpchnceeipipijaljkblbcobl?utm_source=chrome-ntp-icon

Best regards
Henrik Schack

Hi,

I like davelopware’s point on “authenticate challenge and only enable it if they can enter a valid authenticator code”.

On point “#3. Generate, for each user, a 16 character ‘backup’ code…” I have to vote for not having this feature.

It breaks the security model and recovery should direct to Google rather than circumvent whatever Google has set.

I think that having a backup code (as an option, not as a requirement) would be a good idea — yes, I can edit the database and regain access to a lost account but that’s still a bit of a hassle. Not everyone wants to (or feels comfortable with) directly accessing the database and figuring out what to do.

Since the “app password” feature is already an option, how would this be any different than simply adding another password?

I’d like to chime in with a vote for idea #1 as well. I have a client who uses your plugin (and it works well, thanks!), but I hate having to enter the Google Authenticator code very time I log in from my home computer. It’s definitely tedious. If you can find a way to have the app remember specific computers (just as Google allows), that would be really great.

Another strong vote for idea # 1, and a half-a-vote for idea # 2.

Regarding idea # 2, I compare this to a forced password-reset feature. Give me, as the Admin, a way to “force” the users to cooperate with my security efforts would be great. But if I have to, I can live without this feature. (Hence, the 1/2-vote.)

Regarding idea # 1, my home-office PC already has “several-factor authentication.” The bad guys need to get past (1) my deadbolted door, (2) my vicious dog, (3) me, and (4) my brothers — Mr. Smith and Mr. Wesson. ??

But seriously … having to enter the authentication from a “known secure” location is a bit of a pain. As long as I can turn it on and off easily per PC (using the “remember me” tick box), I’m fine with this idea being implemented. (Again, I could live without it, but I’d really like to have it.)

Thanks for all your great work!