Yubikey 2FA Provider - comments/advice please


#1

Hi All,

I have created a 2FA provider for the Yubikey OTP token. This is my first app for publication so I would appreciate it if someone could give me a little advice before I submit it to the app store.

It is heavily based on twofactor_totp.

I have included the Yubikey PHP authentication library but am not sure if I have included it properly. I am pulling it into the code via a require statement, should I be using the autoloader for this? (and if so how?)

Also I am not sure what I should be putting in as the supported owncloud versions - how does oc version numbers map to nc versions?

Any pointers would be helpful.

TIA


#2

^^^^^^ @LukasReschke


#3

I’m using the normal “Two Factor TOTP Provider”-app (https://apps.owncloud.com/content/show.php/TOTP+TwoFactor+(Google+Authenticator)?content=174726) with the Yubico Authenticator (software on the client that generates a OTP every 30s).


#4

TOTP is a totally different type of OTP than the native Yubikey OTP.

My software works (for me), my only concerns are really packaging and polish. The way I am bringing in the Yubico library pollutes the root namespace which is fine enough for me but not something I would want to inflict on others.


#5

I would also love to use a YubiKey with Nextcloud!


#6

Just do it. With U2F it’s even easier.


#7

The app cannot be activated on nextcloud 12. The error message is: “this app cannot be enabled because it makes the server unstable.”


#8

Yubikeys are GREAT. Unless you really NEED to use OTP, i would recommend sticking with U2F. It’s more secure than OTP.

I use my Yubikey with U2F with the existing U2F module for Nextcloud. It JUST works!


#9

Yes your are right that U2F would be the better choice. But unfortunatly it is not supported by every browser. I need to log into my nextcloud often from different computers, where only old browser version are installed so Yubikey OTP would be a great choice for me it is just a keyboard and thus supported by every computer+browser no matter how old the browser version is.


#10

Currently Chrome and Opera support U2F. Firefox is coming shortly, it’s currently in the nightly. Who knows about Safari…


#11

Well, last year Yubico went away from Open Source to become yet another closed source company. Their devices cannot be regarded as “secure” because of their “security through obscurity” approach. Just last week one of their partners (Infineon) told them that at least their OpenPGP functionality is broken, which makes their devices useless at least for this feature.

Does anybody know a more open alternative? I could only find Nitrokey: https://www.nitrokey.com

@Jeffery_Frederick There is also a plugin for Firefox which will stop working from the next version onwards (57 will only support Webextensions): https://addons.mozilla.org/de/firefox/addon/u2f-support-add-on/


#12

What speaks against them? Why “only”?


#13

I’ve put PrivacyIDEA on my bucket list I will test in the next couple of weeks. It’s robust open Source and offers TOTP on simple chipcards - much more useable because not everybody has an smartphone for freeOTP App. Yubico is no option anymore. They moved them self on the dark site of security and now they exactly got what everybody told them. Infineons closed-source approach is now broken. IMHO this is more worse than WPA2 implementation bugs.


#14

Absolutely nothing actually, quite the opposite. They are as open as possible which fits well into the Nextcloud environment. I just wanted to know if somebody has another alternative worth looking at.

@jakobssystems It is their “RSA moment” so to say. Loads of doorstoppers once again. :grinning: PrivacyIDEA sounds interesting, I saw that their community version is free for up to 50 users, that would be enough for smaller organisations at least.


#15

Yes, the impact is enormous for Yubico and beyond. All the beautiful so called Enterprise access devices are now worthless, they are bricked. And you know what? I have no mercy. :stuck_out_tongue_winking_eye: :


#16

One user has created a fork of @jack 's app and got it running on nextcloud 12. You can find the fork here -> https://github.com/sullenx/twofactor_yubikey The discussion can be found here -> https://github.com/jaark/twofactor_yubikey/issues/3#issuecomment-346686751


#17

I can’t get this to work. Is there anyone who could help me out on a consulting basis $$$.


#18

Shouldn’t be that hard. U2F (you have to use the key for activation) or OTP (you need to import a code into your yubikey app) should be pretty straight forward. If you ask for paid help, you can use this topic (more information would be nice, used systems etc.): https://help.nextcloud.com/c/nextcloud-freelancing/looking


#19

I bought a YubiKey 4 some time ago and it had the problem reported by Infineon when generating an RSA Key. I visited Yubico’s site and found a security advisory. I was forwarded to a form on the page where I had to enter my address data and the serial number of my YubiKey. That was on a Sunday evening and still in the night I got, by mail a confirmation that my YubiKey is affected by it and is replaced. Since I had not specified an urgency, the YubiKey was sent to me free of charge as a registered letter. A week later I had the replacement. Of course I prefer it if a company stays with Open Source, but I understand their step and find their behaviour in case of security problems flawless!


#20

I use my YubiKey NEO (NFC) with the Android App Yubico Authenticator installed on my Nexus 6P. Therefore I installed the App Two Factor TOTP Provider in Nexcloud 13. The installation by the Nextcloud Admin and the first setup by the user went smoothly. The process was as professional as setting up TOTP on GitHub, Twitter, or Google. My compliments to the developer ChristophWurst.