I am looking into using nuBuilder for a couple of small projects. Both of them will involve storing some data about real people. We are not talking about highly sensitive data - just names, phone numbers, email addresses and similar. However, I would like to make the database as secure as possible (following GDPR best practice) and have been wondering about using two-factor authentication when logging in. Looking at the various options, I reckon a one-time password (OTP) approach would be best. There are open-source apps such as FreeOTP that make this simple, avoiding the need for SMS gateways etc. The users of the system (hosted on https) would be enrolled by invitation and all would have access to a smartphone which could run the FreeOTP app.
My question then is whether anyone here has implemented a system such as this for nuBuilder, and if they have any code or ideas that could be shared. I should have time to look at this in a few weeks time but it would be taking me into new areas of programming and I am sure there are others here with much greater expertise.
Alternative ideas would be welcome as well.
Thanks in advance.
Neil
Welcome to the nuBuilder Forums!
Register and log in to access exclusive forums and content available only to registered users.
Register and log in to access exclusive forums and content available only to registered users.
Two-factor authentication
-
Janusz
- nuBuilder Team
- Posts: 508
- Joined: Fri Dec 28, 2018 1:41 pm
- Location: Krakow, Poland
- Has thanked: 10 times
- Been thanked: 18 times
Re: Two-factor authentication
Hi,
Not solution for two-factor authentication but some ideas maybe to consider:
On the server level you can limit access to specific IP if users have fixed IP. Maybe to consider connection with VPN only or some other protection on server level like Pulse Secure for example - depending on how much secure you would like to be.
You can force users to change password every day / month / etc. with the following:
https://forums.nubuilder.cloud/viewtopic.php?f=19&t=10108
you can add some requirements for password complexity.
If you would like to force users to change password on some period of time you can use Events in MariaDB.
To store password change date you can add to the zzzzsys_user table one column with for example ON UPDATE CURRENT_TIMESTAMP() - and with events you can check every day let say at 1.00am if password is older than one week for example - and if yes you can reset it to any random password - then in such case user has to use the password forgot function to set-up new password.
If you want to make sure that they are not using all the time the same password you have to keep older passwords, etc, ...
Not solution for two-factor authentication but some ideas maybe to consider:
On the server level you can limit access to specific IP if users have fixed IP. Maybe to consider connection with VPN only or some other protection on server level like Pulse Secure for example - depending on how much secure you would like to be.
You can force users to change password every day / month / etc. with the following:
https://forums.nubuilder.cloud/viewtopic.php?f=19&t=10108
you can add some requirements for password complexity.
If you would like to force users to change password on some period of time you can use Events in MariaDB.
To store password change date you can add to the zzzzsys_user table one column with for example ON UPDATE CURRENT_TIMESTAMP() - and with events you can check every day let say at 1.00am if password is older than one week for example - and if yes you can reset it to any random password - then in such case user has to use the password forgot function to set-up new password.
If you want to make sure that they are not using all the time the same password you have to keep older passwords, etc, ...
If you like nuBuilder, please leave a review on SourceForge
-
nac
- Posts: 132
- Joined: Tue Dec 12, 2017 11:28 pm
- Location: Aberdeen, UK
- Has thanked: 9 times
- Been thanked: 13 times
Re: Two-factor authentication
Hi Janusz,
Many thanks for all the suggestions. I do agree that multi-layered approaches are sensible and some of these could work. Password complexity is a 'no-brainer', for example. There is a balance between security and convenience and it is a difficult one to strike as different people have varying approaches to risk. I remember using a site that imposed frequent password changes and finding it rather annoying, although this would be easier now with password manager applications.
What I like about the two-factor approach is that it provides a good balance between security and convenience. I like the fact that when I sign in to my PayPal account, for example, it requires both my password and then the one time code. (I used to use SMS but now use FreeOTP.) When I log in, I have my phone alongside, tap to see the code and just type it in. It also provides confidence about security because major players such a Google, Microsoft, Paypal etc. provide 2FA and recommend that we use it.
The main benefit of the two factor solution is that there are PHP libraries available and so the functionality could be completely internal to the nuBuilder application. One thought - you can add 2FA to WordPress and so one option could possibly be to use the plug-in route and rely on WordPress to handle security. However, I have not used nuBuilder with WordPress and so this is just speculation on my part.
I will keep thinking...
Thanks again.
Many thanks for all the suggestions. I do agree that multi-layered approaches are sensible and some of these could work. Password complexity is a 'no-brainer', for example. There is a balance between security and convenience and it is a difficult one to strike as different people have varying approaches to risk. I remember using a site that imposed frequent password changes and finding it rather annoying, although this would be easier now with password manager applications.
What I like about the two-factor approach is that it provides a good balance between security and convenience. I like the fact that when I sign in to my PayPal account, for example, it requires both my password and then the one time code. (I used to use SMS but now use FreeOTP.) When I log in, I have my phone alongside, tap to see the code and just type it in. It also provides confidence about security because major players such a Google, Microsoft, Paypal etc. provide 2FA and recommend that we use it.
The main benefit of the two factor solution is that there are PHP libraries available and so the functionality could be completely internal to the nuBuilder application. One thought - you can add 2FA to WordPress and so one option could possibly be to use the plug-in route and rely on WordPress to handle security. However, I have not used nuBuilder with WordPress and so this is just speculation on my part.
I will keep thinking...
Thanks again.
-
kev1n
- nuBuilder Team
- Posts: 4416
- Joined: Sun Oct 14, 2018 6:43 pm
- Has thanked: 74 times
- Been thanked: 472 times
- Contact:
Re: Two-factor authentication
It's probably "easier" to integrate a PHP library since nuBuilder is written in PHP.
https://github.com/Spomky-Labs/otphp
https://github.com/Spomky-Labs/otphp
-
nac
- Posts: 132
- Joined: Tue Dec 12, 2017 11:28 pm
- Location: Aberdeen, UK
- Has thanked: 9 times
- Been thanked: 13 times
Re: Two-factor authentication
Hi kev1n,
Thanks.
Yes, I agree entirely. In fact, I had come across that library when doing a search. Using an existing PHP library and integrating it into nuBuilder would make the solution very neat. My initial question was trying to find out if anyone had done this already.kev1n wrote:It's probably "easier" to integrate a PHP library since nuBuilder is written in PHP.
https://github.com/Spomky-Labs/otphp
Thanks.