Jonathan Druart
6eeb9bc1b3
This patchset introduces the Two-factor authentication (2FA) idea in Koha. It is far for complete, and only implement one way of doing it, but at least it's a first step. The idea here is to offer the librarian user the ability to enable/disable 2FA when logging in to Koha. It will use time-based, one-time passwords (TOTP) as the second factor, an application to handle that will be required. https://en.wikipedia.org/wiki/Time-based_One-Time_Password More developements are possible on top of this: * Send a notice (sms or email) with the code * Force 2FA for librarians * Implementation for OPAC * WebAuthn, FIDO2, etc. - https://fidoalliance.org/category/intro-fido/ Test plan: 0. a. % apt install -y libauth-googleauth-perl && updatedatabase && restart_all b. To test this you will need an app to generate the TOTP token, you can use FreeOTP that is open source and easy to use. 1. Turn on TwoFactorAuthentication 2. Go to your account, click 'More' > 'Manage Two-Factor authentication' 3. Click Enable, scan the QR code with the app, insert the pin code and register 4. Your account now requires 2FA to login! 5. Notice that you can browse until you logout 6. Logout 7. Enter the credential and the pincode provided by the app 8. Logout 9. Enter the credential, no pincode 10. Confirm that you are stuck on the second auth form (ie. you cannot access other Koha pages) 11. Click logout => First login form 12. Enter the credential and the pincode provided by the app Sponsored-by: Orex Digital Signed-off-by: David Nind <david@davidnind.com> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Fridolin Somers <fridolin.somers@biblibre.com> |
||
---|---|---|
.. | ||
00-onboarding.t | ||
01-installation.t | ||
administration_tasks.t | ||
authentication.t | ||
authentication_2fa.t | ||
basic_workflow.t | ||
patrons_search.t | ||
regressions.t | ||
remove_from_cart.t | ||
self_registration.t | ||
update_child_to_adult.t |