Yubikey 2FA Provider - comments/advice please

jack 2016-09-11 22:40:35 UTC #1

Hi All,

I have created a 2FA provider for the Yubikey OTP token. This is my first app for publication so I would appreciate it if someone could give me a little advice before I submit it to the app store.

It is heavily based on twofactor_totp.

I have included the Yubikey PHP authentication library but am not sure if I have included it properly. I am pulling it into the code via a require statement, should I be using the autoloader for this? (and if so how?)

Also I am not sure what I should be putting in as the supported owncloud versions - how does oc version numbers map to nc versions?

Any pointers would be helpful.

TIA

oparoz 2016-09-11 22:52:40 UTC #2

^^^^^^ @LukasReschke

tflidd 2016-09-13 06:05:53 UTC #3

I’m using the normal “Two Factor TOTP Provider”-app (https://apps.owncloud.com/content/show.php/TOTP+TwoFactor+(Google+Authenticator)?content=174726) with the Yubico Authenticator (software on the client that generates a OTP every 30s).

jack 2016-09-13 18:38:58 UTC #4

TOTP is a totally different type of OTP than the native Yubikey OTP.

My software works (for me), my only concerns are really packaging and polish. The way I am bringing in the Yubico library pollutes the root namespace which is fine enough for me but not something I would want to inflict on others.

Synthead 2017-08-29 21:39:43 UTC #5

I would also love to use a YubiKey with Nextcloud!

tflidd 2017-08-29 21:44:51 UTC #6

Just do it. With U2F it’s even easier.

Tarry91 2017-10-10 10:22:40 UTC #7

The app cannot be activated on nextcloud 12. The error message is: “this app cannot be enabled because it makes the server unstable.”

Jeffery_Frederick 2017-10-10 23:40:42 UTC #8

Yubikeys are GREAT. Unless you really NEED to use OTP, i would recommend sticking with U2F. It’s more secure than OTP.

I use my Yubikey with U2F with the existing U2F module for Nextcloud. It JUST works!

Tarry91 2017-10-12 09:00:23 UTC #9

Yes your are right that U2F would be the better choice. But unfortunatly it is not supported by every browser. I need to log into my nextcloud often from different computers, where only old browser version are installed so Yubikey OTP would be a great choice for me it is just a keyboard and thus supported by every computer+browser no matter how old the browser version is.

Jeffery_Frederick 2017-10-23 02:34:37 UTC #10

Currently Chrome and Opera support U2F. Firefox is coming shortly, it’s currently in the nightly. Who knows about Safari…

alfred 2017-10-23 10:50:47 UTC #11

Well, last year Yubico went away from Open Source to become yet another closed source company. Their devices cannot be regarded as “secure” because of their “security through obscurity” approach. Just last week one of their partners (Infineon) told them that at least their OpenPGP functionality is broken, which makes their devices useless at least for this feature.

Does anybody know a more open alternative? I could only find Nitrokey: https://www.nitrokey.com

@Jeffery_Frederick There is also a plugin for Firefox which will stop working from the next version onwards (57 will only support Webextensions): https://addons.mozilla.org/de/firefox/addon/u2f-support-add-on/

Escubaer 2017-10-23 15:49:12 UTC #12

What speaks against them? Why “only”?

jakobssystems 2017-10-23 18:08:27 UTC #13

I’ve put PrivacyIDEA on my bucket list I will test in the next couple of weeks. It’s robust open Source and offers TOTP on simple chipcards - much more useable because not everybody has an smartphone for freeOTP App. Yubico is no option anymore. They moved them self on the dark site of security and now they exactly got what everybody told them. Infineons closed-source approach is now broken. IMHO this is more worse than WPA2 implementation bugs.

alfred 2017-10-23 18:10:13 UTC #14

Absolutely nothing actually, quite the opposite. They are as open as possible which fits well into the Nextcloud environment. I just wanted to know if somebody has another alternative worth looking at.

@jakobssystems It is their “RSA moment” so to say. Loads of doorstoppers once again. PrivacyIDEA sounds interesting, I saw that their community version is free for up to 50 users, that would be enough for smaller organisations at least.

jakobssystems 2017-10-23 19:19:04 UTC #15

Yes, the impact is enormous for Yubico and beyond. All the beautiful so called Enterprise access devices are now worthless, they are bricked. And you know what? I have no mercy. :

Tarry91 2017-11-23 20:34:41 UTC #16

One user has created a fork of @jack 's app and got it running on nextcloud 12. You can find the fork here -> https://github.com/sullenx/twofactor_yubikey The discussion can be found here -> https://github.com/jaark/twofactor_yubikey/issues/3#issuecomment-346686751

Dave_yyz 2018-02-15 19:05:47 UTC #17

I can’t get this to work. Is there anyone who could help me out on a consulting basis $$$.

tflidd 2018-02-18 09:59:59 UTC #18

Shouldn’t be that hard. U2F (you have to use the key for activation) or OTP (you need to import a code into your yubikey app) should be pretty straight forward. If you ask for paid help, you can use this topic (more information would be nice, used systems etc.): https://help.nextcloud.com/c/nextcloud-freelancing/looking