baarkerlounger
/
two_factor_authentication
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Two factor authentication extension for Devise
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
198 Commits
3 Branches
13 Tags
466 KiB
Tree: 348c2a1cce
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '348c2a1cce'
${ noResults }
two_factor_authentication/README.md

261 lines
8.4 KiB
Raw Normal View History Unescape

travis badge in README
11 years ago
# Two factor authentication for Devise
Added Gitter badge
10 years ago
[![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/Houdini/two_factor_authentication?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
travis badge in README
11 years ago
[![Build Status](https://travis-ci.org/Houdini/two_factor_authentication.svg?branch=master)](https://travis-ci.org/Houdini/two_factor_authentication)
+ Code quality snippet
11 years ago
[![Code Climate](https://codeclimate.com/github/Houdini/two_factor_authentication.png)](https://codeclimate.com/github/Houdini/two_factor_authentication)
first commit
13 years ago
## Features
Add support for directly delivered OTP codes Direct OTP codes are ones that are delivered directly to the user (e.g. SMS) via send_two_factor_authentication_code. These are randomly generated, short lived, and stored directly in the database. TOTP (and the rotp gem) is now only enabled for those user that have a shared secret (user.create_otp_secret).
9 years ago
* Support for 2 types of OTP codes
1. Codes delivered directly to the user
2. TOTP (Google Authenticator) codes based on a shared secret (HMAC)
* Configurable OTP code digit length
* Configurable max login attempts
* Customizable logic to determine if a user needs two factor authentication
* Configurable period where users won't be asked for 2FA again
* Option to encrypt the TOTP secret in the database, with iv and salt
first commit
13 years ago
## Configuration
updated README
13 years ago
### Initial Setup
In a Rails environment, require the gem in your Gemfile:
version to 0.2
13 years ago
gem 'two_factor_authentication'
updated README
13 years ago
Once that's done, run:
bundle install
Remove ruby 2.0 from travis build martix The latest version of devise requires ruby >= 2.1. This change removes 2.0 from the test matrix and adds 2.3.
9 years ago
Note that Ruby 2.1 or greater is required.
Drop support for Ruby 1.9.3 & update .travis.yml **Why**: The `encryptor` gem, which is used for the new OTP encryption feature, requires Ruby 2.0 or later. Also, Rails 5.0 requires Ruby 2.2.2 or greater, so we need to ignore 1.9.3, 2.0, and 2.1 when running RAILS_VERSION=master on Travis.
9 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
### Installation
updated README
13 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
#### Automatic initial setup
Prevent reuse of TOTP codes (#94) This change updates the rotp version which now includes support for preventing TOTP code reuse via tracking the timestamp of the last used code.
8 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
To set up the model and database migration file automatically, run the
following command:
updated README
13 years ago
bundle exec rails g two_factor_authentication MODEL
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
Where MODEL is your model name (e.g. User or Admin). This generator will add
`:two_factor_authenticatable` to your model's Devise options and create a
migration in `db/migrate/`, which will add the following columns to your table:
updated README
13 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
- `:second_factor_attempts_count`
- `:encrypted_otp_secret_key`
- `:encrypted_otp_secret_key_iv`
- `:encrypted_otp_secret_key_salt`
Add support for directly delivered OTP codes Direct OTP codes are ones that are delivered directly to the user (e.g. SMS) via send_two_factor_authentication_code. These are randomly generated, short lived, and stored directly in the database. TOTP (and the rotp gem) is now only enabled for those user that have a shared secret (user.create_otp_secret).
9 years ago
- `:direct_otp`
- `:direct_otp_sent_at`
Prevent reuse of TOTP codes (#94) This change updates the rotp version which now includes support for preventing TOTP code reuse via tracking the timestamp of the last used code.
8 years ago
- `:totp_timestamp`
Modifying readme based on changes to gem.
11 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
#### Manual initial setup
Prevent reuse of TOTP codes (#94) This change updates the rotp version which now includes support for preventing TOTP code reuse via tracking the timestamp of the last used code.
8 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
If you prefer to set up the model and migration manually, add the
`:two_factor_authentication` option to your existing devise options, such as:
Modifying readme based on changes to gem.
11 years ago
README: use correct column name, update markdown code blocks
11 years ago
```ruby
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
devise :database_authenticatable, :registerable, :recoverable, :rememberable,
:trackable, :validatable, :two_factor_authenticatable
README: use correct column name, update markdown code blocks
11 years ago
```
Modifying readme based on changes to gem.
11 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
Then create your migration file using the Rails generator, such as:
Modifying readme based on changes to gem.
11 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
```
Prevent reuse of TOTP codes (#94) This change updates the rotp version which now includes support for preventing TOTP code reuse via tracking the timestamp of the last used code.
8 years ago
rails g migration AddTwoFactorFieldsToUsers second_factor_attempts_count:integer encrypted_otp_secret_key:string:index encrypted_otp_secret_key_iv:string encrypted_otp_secret_key_salt:string direct_otp:string direct_otp_sent_at:datetime totp_timestamp:timestamp
README: use correct column name, update markdown code blocks
11 years ago
```
updated README
13 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
Open your migration file (it will be in the `db/migrate` directory and will be
named something like `20151230163930_add_two_factor_fields_to_users.rb`), and
add `unique: true` to the `add_index` line so that it looks like this:
first commit
13 years ago
```ruby
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
add_index :users, :encrypted_otp_secret_key, unique: true
first commit
13 years ago
```
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
Save the file.
#### Complete the setup
Prevent reuse of TOTP codes (#94) This change updates the rotp version which now includes support for preventing TOTP code reuse via tracking the timestamp of the last used code.
8 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
Run the migration with:
bundle exec rake db:migrate
first commit
13 years ago
Modifying readme based on changes to gem.
11 years ago
Add the following line to your model to fully enable two-factor auth:
first commit
13 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
has_one_time_password(encrypted: true)
first commit
13 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
Set config values in `config/initializers/devise.rb`:
fix spaces
13 years ago
README: use correct column name, update markdown code blocks
11 years ago
```ruby
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
config.max_login_attempts = 3 # Maximum second factor attempts count.
Add support for directly delivered OTP codes Direct OTP codes are ones that are delivered directly to the user (e.g. SMS) via send_two_factor_authentication_code. These are randomly generated, short lived, and stored directly in the database. TOTP (and the rotp gem) is now only enabled for those user that have a shared secret (user.create_otp_secret).
9 years ago
config.allowed_otp_drift_seconds = 30 # Allowed TOTP time drift between client and server.
config.otp_length = 6 # TOTP code length
config.direct_otp_valid_for = 5.minutes # Time before direct OTP becomes invalid
config.direct_otp_length = 6 # Direct OTP code length
config.remember_otp_session_for_seconds = 30.days # Time before browser has to perform 2fA again. Default is 0.
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
config.otp_secret_encryption_key = ENV['OTP_SECRET_ENCRYPTION_KEY']
Update README: add second_factor_resource_id
8 years ago
config.second_factor_resource_id = 'id' # Field or method name used to set value for 2fA remember cookie
README: use correct column name, update markdown code blocks
11 years ago
```
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
The `otp_secret_encryption_key` must be a random key that is not stored in the
DB, and is not checked in to your repo. It is recommended to store it in an
environment variable, and you can generate it with `bundle exec rake secret`.
Modifying readme based on changes to gem.
11 years ago
Add support for directly delivered OTP codes Direct OTP codes are ones that are delivered directly to the user (e.g. SMS) via send_two_factor_authentication_code. These are randomly generated, short lived, and stored directly in the database. TOTP (and the rotp gem) is now only enabled for those user that have a shared secret (user.create_otp_secret).
9 years ago
Override the method in your model in order to send direct OTP codes. This is
automatically called when a user logs in unless they have TOTP enabled (see
below):
first commit
13 years ago
README: use correct column name, update markdown code blocks
11 years ago
```ruby
Add support for directly delivered OTP codes Direct OTP codes are ones that are delivered directly to the user (e.g. SMS) via send_two_factor_authentication_code. These are randomly generated, short lived, and stored directly in the database. TOTP (and the rotp gem) is now only enabled for those user that have a shared secret (user.create_otp_secret).
9 years ago
def send_two_factor_authentication_code(code)
# Send code via SMS, etc.
README: use correct column name, update markdown code blocks
11 years ago
end
```
first commit
13 years ago
Adding clarification around google authenticator.
11 years ago
### Customisation and Usage
updated README
13 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
By default, second factor authentication is required for each user. You can
change that by overriding the following method in your model:
fix spaces
13 years ago
first commit
13 years ago
```ruby
README: use correct column name, update markdown code blocks
11 years ago
def need_two_factor_authentication?(request)
request.ip != '127.0.0.1'
end
first commit
13 years ago
```
fix spaces
13 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
In the example above, two factor authentication will not be required for local
users.
Adding clarification around google authenticator.
11 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
This gem is compatible with [Google Authenticator](https://support.google.com/accounts/answer/1066447?hl=en).
Add support for directly delivered OTP codes Direct OTP codes are ones that are delivered directly to the user (e.g. SMS) via send_two_factor_authentication_code. These are randomly generated, short lived, and stored directly in the database. TOTP (and the rotp gem) is now only enabled for those user that have a shared secret (user.create_otp_secret).
9 years ago
To enable this a shared secret must be generated by invoking the following
method on your model:
```ruby
user.generate_totp_secret
```
Prevent reuse of TOTP codes (#94) This change updates the rotp version which now includes support for preventing TOTP code reuse via tracking the timestamp of the last used code.
8 years ago
This must then be shared via a provisioning uri:
Adding clarification around google authenticator.
11 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
```ruby
user.provisioning_uri # This assumes a user model with an email attribute
```
Adding clarification around google authenticator.
11 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
This provisioning uri can then be turned in to a QR code if desired so that
users may add the app to Google Authenticator easily. Once this is done, they
Add support for directly delivered OTP codes Direct OTP codes are ones that are delivered directly to the user (e.g. SMS) via send_two_factor_authentication_code. These are randomly generated, short lived, and stored directly in the database. TOTP (and the rotp gem) is now only enabled for those user that have a shared secret (user.create_otp_secret).
9 years ago
may retrieve a one-time password directly from the Google Authenticator app.
+two factor authentication example in readme
11 years ago
Updated readme with view overriding
11 years ago
#### Overriding the view
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
The default view that shows the form can be overridden by adding a
file named `show.html.erb` (or `show.html.haml` if you prefer HAML)
inside `app/views/devise/two_factor_authentication/` and customizing it.
Below is an example using ERB:
Updated readme with view overriding
11 years ago
```html
<h2>Hi, you received a code by email, please enter it below, thanks!</h2>
<%= form_tag([resource_name, :two_factor_authentication], :method => :put) do %>
<%= text_field_tag :code %>
<%= submit_tag "Log in!" %>
<% end %>
<%= link_to "Sign out", destroy_user_session_path, :method => :delete %>
```
Add support for directly delivered OTP codes Direct OTP codes are ones that are delivered directly to the user (e.g. SMS) via send_two_factor_authentication_code. These are randomly generated, short lived, and stored directly in the database. TOTP (and the rotp gem) is now only enabled for those user that have a shared secret (user.create_otp_secret).
9 years ago
#### Enable TOTP support for existing users
Updated readme with rake task to update existing users with OTP secret key
11 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
If you have existing users that need to be provided with a OTP secret key, so
Add support for directly delivered OTP codes Direct OTP codes are ones that are delivered directly to the user (e.g. SMS) via send_two_factor_authentication_code. These are randomly generated, short lived, and stored directly in the database. TOTP (and the rotp gem) is now only enabled for those user that have a shared secret (user.create_otp_secret).
9 years ago
they can use TOTP, create a rake task. It could look like this one below:
Updated readme with rake task to update existing users with OTP secret key
11 years ago
```ruby
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
desc 'rake task to update users with otp secret key'
Updated readme with rake task to update existing users with OTP secret key
11 years ago
task :update_users_with_otp_secret_key => :environment do
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
User.find_each do |user|
Add support for directly delivered OTP codes Direct OTP codes are ones that are delivered directly to the user (e.g. SMS) via send_two_factor_authentication_code. These are randomly generated, short lived, and stored directly in the database. TOTP (and the rotp gem) is now only enabled for those user that have a shared secret (user.create_otp_secret).
9 years ago
user.generate_totp_secret
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
user.save!
puts "Rake[:update_users_with_otp_secret_key] => OTP secret key set to '#{key}' for User '#{user.email}'"
end
Updated readme with rake task to update existing users with OTP secret key
11 years ago
end
```
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
Then run the task with `bundle exec rake update_users_with_otp_secret_key`
Add support for directly delivered OTP codes Direct OTP codes are ones that are delivered directly to the user (e.g. SMS) via send_two_factor_authentication_code. These are randomly generated, short lived, and stored directly in the database. TOTP (and the rotp gem) is now only enabled for those user that have a shared secret (user.create_otp_secret).
9 years ago
#### Adding the TOTP encryption option to an existing app
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
If you've already been using this gem, and want to start encrypting the OTP
secret key in the database (recommended), you'll need to perform the following
steps:
1. Generate a migration to add the necessary columns to your model's table:
```
rails g migration AddEncryptionFieldsToUsers encrypted_otp_secret_key:string:index encrypted_otp_secret_key_iv:string encrypted_otp_secret_key_salt:string
```
Open your migration file (it will be in the `db/migrate` directory and will be
named something like `20151230163930_add_encryption_fields_to_users.rb`), and
add `unique: true` to the `add_index` line so that it looks like this:
```ruby
add_index :users, :encrypted_otp_secret_key, unique: true
```
Save the file.
2. Run the migration: `bundle exec rake db:migrate`
2. Update the gem: `bundle update two_factor_authentication`
3. Add `encrypted: true` to `has_one_time_password` in your model.
For example: `has_one_time_password(encrypted: true)`
4. Generate a migration to populate the new encryption fields:
```
rails g migration PopulateEncryptedOtpFields
```
Open the generated file, and replace its contents with the following:
```ruby
class PopulateEncryptedOtpFields < ActiveRecord::Migration
def up
User.reset_column_information
User.find_each do |user|
user.otp_secret_key = user.read_attribute('otp_secret_key')
user.save!
end
end
def down
User.reset_column_information
User.find_each do |user|
user.otp_secret_key = ROTP::Base32.random_base32
user.save!
end
end
end
```
5. Generate a migration to remove the `:otp_secret_key` column:
```
rails g migration RemoveOtpSecretKeyFromUsers otp_secret_key:string
```
6. Run the migrations: `bundle exec rake db:migrate`
If, for some reason, you want to switch back to the old non-encrypted version,
use these steps:
1. Remove `(encrypted: true)` from `has_one_time_password`
2. Roll back the last 3 migrations (assuming you haven't added any new ones
after them):
```
bundle exec rake db:rollback STEP=3
```
Updated readme with rake task to update existing users with OTP secret key
11 years ago
Add support for OTP secret key encryption **Why**: To provide an additional layer of security. The TOTP spec (RFC 6238) recommends encrypting the keys. http://tools.ietf.org/html/rfc6238 **How**: Borrow the encryption code from the `attr_encrypted` gem and use it to encrypt and decrypt the `otp_secret_key` attribute. Allow users to add encryption by passing in `encrypted: true` to `has_one_time_password`. This provides backwards-compatibility for existing users of the gem. See the README updates for more detailed instructions for both new and existing users.
9 years ago
### Example App
+two factor authentication example in readme
11 years ago
[TwoFactorAuthenticationExample](https://github.com/Houdini/TwoFactorAuthenticationExample)