Enable optional two-factor authentication for OTRS
Open, Stalled, NormalPublic

Description

Once OTRS 5 is deployed (T74109), we should consider enabling optional two-factor authentication for OTRS agents (2FA, see the release notes for OTRS 5 Beta 2, What’s New, section 3). It does not seem to be difficult to enable it, and it would allow agents who are familiar with 2FA to increase the security of their accounts.

The background for this request is that the WMF Security Team will be working on two-factor authentication for Wikimedia projects in the next quarter (cf. their schedule on meta). OTRS access should be protected with reasonable security mechanisms too.

Ireas created this task.Dec 22 2015, 5:14 PM
Ireas updated the task description. (Show Details)
Ireas raised the priority of this task from to Needs Triage.
Ireas added a project: OTRS.
Ireas added a subscriber: Ireas.
Restricted Application added subscribers: StudiesWorld, Matthewrbowker, Rjd0060 and 2 others. · View Herald TranscriptDec 22 2015, 5:14 PM
Krenair added a subscriber: Krenair.

In my opinion, access to OTRS is even more sensitive than access to MediaWiki accounts.

Uhh... That depends on which MediaWiki accounts.

Ireas updated the task description. (Show Details)Dec 22 2015, 5:31 PM
Ireas set Security to None.
Ireas added a comment.Dec 22 2015, 5:34 PM

In my opinion, access to OTRS is even more sensitive than access to MediaWiki accounts.

Uhh... That depends on which MediaWiki accounts.

You are right. I was only considering the private information available to most users / agents. I removed that sentence from the task description.

Steinsplitter moved this task from Incoming to Backlog on the OTRS board.Jan 20 2016, 5:19 PM
Restricted Application added a subscriber: TerraCodes. · View Herald TranscriptNov 12 2016, 5:11 PM
Thibaut120094 triaged this task as High priority.Nov 12 2016, 5:11 PM
revi added a subscriber: revi.Nov 12 2016, 5:11 PM
FDMS added a subscriber: FDMS.Nov 12 2016, 5:13 PM
Scoopfinder added a subscriber: Scoopfinder.

Note: 2FA is now available for admin on wikimedia wikis and on OTRS Wiki. Likely this should be priority as well.

DatGuy added a subscriber: DatGuy.Nov 13 2016, 12:17 PM
DC added a subscriber: DC.Jan 20 2018, 2:22 PM
Scoopfinder awarded a token.
Scoopfinder added a comment.EditedFeb 19 2018, 1:08 PM

Is there a way to push this ticket? OTRS contains very sensitive information (especially in oversighter queues) and security should be a priority.

Last week, someone tried to access my account using password reset on my email account + OTRS account...

Is there a way to push this ticket? OTRS contains very sensitive information (especially in oversighter queues) and security should be a priority.

You just did. I 've enabled Frontend::Agent::Auth::TwoFactor::AuthTwoFactorModule. The only valid value is GoogleAuthenticator and only the time based part (TOTP, see RFC 6238). It's set as optional so users that don't want to enable it right now are not force to, but it is possible to do so. The login page has changed already a bit and allows entering that.

Now enabling 2FA for one's account is a bit weird. Unlike the usual services where a QR code is displayed, the user is required to enter a key in the AgentPreferences screen in the Change Password section under "2 Factor Token" (confusingly this seems to be the key, not a token). One does need to also enter the Current password (and looks like also a new password, but it can be the same as the current one). That key then is to be entered as well in the creation of a new entry in the Google Authenticator app. The entry should be configured to be time based (which is the default). This is not a very friendly user interface overall and I fear it is going to limit the adoption.

Let's keep it enabled for some time and see what kind of feedback we get and reevaluate.

Last week, someone tried to access my account using password reset on my email account + OTRS account...

Ouch. Looks like indeed you need 2FA.

Josve05a added a comment.EditedFeb 21 2018, 12:24 PM

Works for me (unless it would have accepted anything at all. Just logged in with 2FA and AI got logged in.) :D the key needed to be 16 letters GoogleAuth

Hello @akosiaris and thank you for responding to my cry for help. :-)

Now enabling 2FA for one's account is a bit weird. Unlike the usual services where a QR code is displayed, the user is required to enter a key in the AgentPreferences screen in the Change Password section under "2 Factor Token" (confusingly this seems to be the key, not a token). One does need to also enter the Current password (and looks like also a new password, but it can be the same as the current one). That key then is to be entered as well in the creation of a new entry in the Google Authenticator app. The entry should be configured to be time based (which is the default). This is not a very friendly user interface overall and I fear it is going to limit the adoption.

Unfortunately, I couldn't make it work yet. I will try again later in the day when I have more time.

If I got it to work

Step 1. Go to OTRS user settings
Step 2. Enter your old password and your ‘new’ (or same password)
Step 3. Enter a 16 (lower capital?) letter-key of your choice
Step 4. Press change password
Step 5. Create a new 2FA in Google authenticator
Step 6. Enter your 16-char key and an account name
Step 7. Choose timer based tokens
Done

@Josve05a : I did as mentioned, but still can login without 2FA or with a random 2FA. Did you try to check this too? (maybe I am the one doing sth wrong)

@Josve05a : I did as mentioned, but still can login without 2FA or with a random 2FA. Did you try to check this too? (maybe I am the one doing sth wrong)

No, I didn’t failcheck it, only checked if I could get in. Hmm...

@Josve05a : I did as mentioned, but still can login without 2FA or with a random 2FA. Did you try to check this too? (maybe I am the one doing sth wrong)

Same here, The shared secret is getting ignored.

Looking at the code it does look like the "2 Factor Token" in AgentPrerefences is checked when updating one's password. As an extra security precaution that is. So my initial assertion was wrong and what 've been testing a moot point. I 've yet to find where in the web interface an Agent is meant to set the key and no documentation exists

Reading the code more I 've managed to find the following setting PreferencesGroups###GoogleAuthenticatorSecretKey that needs to be enabled for a panel to show up in AgentPreferences allowing to enter the shared key. Unfortunately there seems to be some bug in the code and I get in the logs

[Notice][Kernel::System::Auth::TwoFactor::GoogleAuthenticator::Auth] User: Alexandros Kosiaris two factor authentication failed (non-matching otp).

I triple checked the key in my app and OTRS but they are the same. The file responsible for the authentication part seems to have had quite a few changes and at least 1 fixed bug related to timezones. https://github.com/OTRS/otrs/commits/master/Kernel/System/Auth/TwoFactor/GoogleAuthenticator.pm. Unfortunately that fix does not apply directly to our codebase and many of the above changes have not been ported to OTRS 5 but are rather OTRS 6 related.

Given all of the above I am thinking about disabling this once more and wait at least for the upgrade to OTRS 6 before reenabling it. That is however going to take quite a while from the looks of it and is going to be a major upgrade.

Keegan added a subscriber: Keegan.Feb 21 2018, 6:45 PM

Given all of the above I am thinking about disabling this once more and wait at least for the upgrade to OTRS 6 before reenabling it. That is however going to take quite a while from the looks of it and is going to be a major upgrade.

I'd rather have it disabled than turned on and broken.

Josve05a added a comment.EditedFeb 21 2018, 7:13 PM

I'd rather have it disabled than turned on and broken.

Well, security theater (real thing) might be a good deterrent against so called hackers trying to gain access by force testing passwords.

akosiaris lowered the priority of this task from High to Normal.Feb 22 2018, 7:27 PM
akosiaris changed the task status from Open to Stalled.

I 've disabled the functionality. I 've conducted multiple tests and never got it to work. I am setting this to stalled, we should revisit when we have upgraded to 6.x.x (or if some patches about this land in 5.0.26+)

RP88 added a subscriber: RP88.Mon, Oct 1, 1:20 PM