Clipperz with 2 factor auth (Google Authenticator?)

[Ben]

I use Clipperz community edition on a server I manage and love the
product immensely. It would however be absolutely fantastic if there
was support for a 2 factor authentication option.

How difficult would it be to support Google Authenticator (for
example) as an additional access control ?

Cheers and keep up the great work!

Ben

[Marco Barulli]

Hi Ben,
thanks for your kind words! :-)

We are not providing any "two factor" authentication method since we
have not yet found a way to smoothly integrate it with our
"zero-knowledge web application" architecture.

Most two factor system does require Clipperz to know something about
you (your cellphone number, email, ...).
This will broke the "zero-knowledge" pledge we made to our users and
it could also open a channel for attackers if our server is
compromised and your cell phone is leaked. (social attacks are the
most effective!)

We could easily add a second layer of authentication on top of
username and passphrase, but this would add very little security while
being much more inconvenient for the user.

We are still thinking about improving security _and_ convenience, but
current "two factors" authentications solutions do not fit right with
our architecture.

Many thanks for your feedback,
Marco

--
Marco Barulli
http://www.clipperz.com

> --
> You received this message because you are subscribed to the Google Groups "Clipperz" group.
> To post to this group, send email to clip...@googlegroups.com.
> To unsubscribe from this group, send email to clipperz+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/clipperz?hl=en.
>
>

[Daniel]

On Friday, July 1 Ben wrote:

I use Clipperz community edition on a server I manage and love the
product immensely. It would however be absolutely fantastic if there
was support for a 2 factor authentication option.

Or the more open alternative: the YubiKey See http://yubico.com/yubikey

[Kamila Součková]

Hi,

[I hope it's OK to resurrect this old thread, just thought I'd add my $0.02, as every time I log in to Clipperz I feel nervous about typing my password and knowing this is all it takes to get to my precious data, yet I'm too lazy to download the source and verify the hash...]

Something which (I believe) would not break the "zero-knowledge" architecture are TOTP or HOTP (time-based or hash-based one-time passwords), generated e.g. by a mobile app. With an app, clipperz can tell me the (random) secret, and therefore the only thing stored on the server is this random string. However, I am aware of issues like recovery after losing access to the app -- probably the only "zero-knowledge" recovery method is "give the user a few random strings to be used as one-time recovery passphrases and *tell them to look after them*", which is certainly suboptimal. Also, I am not sure how exactly to use say TOTP to actually increase security (rather than just make me feel better) with the Clipperz architecture.

Still, I'd feel much better if someone smarter than me came up with a way to make me feel less nervous when entering my password (not necessarily with 2FA -- perhaps something like a "server 2FA" -- independent verification that what I'm seeing in the browser is genuine Clipperz, not something some nasty person set up to trap my password?)

Thanks for making Clipperz, you rock!

Kamila

[Mázsa Péter]

On Wed, Jan 6, 2016 at 7:13 PM, Kamila Součková <kamiso...@gmail.com> wrote:
[...]
> Still, I'd feel much better if someone [...] came up with a way to
> make me feel less nervous when entering my password [...] independent verification

> that what I'm seeing in the browser is genuine Clipperz, not something some
> nasty person set up to trap my password?)

Hi Kamila,

Cf.
1. https://www.grc.com/fingerprints.htm
2. https://clipperz.is/security_privacy/security_code_review/
3. download your app and use it in a completely different browser offline

[anyway: +1 for *optional* 2FA]

P.

> To unsubscribe from this group and stop receiving emails from it, send an
> email to clipperz+u...@googlegroups.com.

> To post to this group, send email to clip...@googlegroups.com.

> Visit this group at https://groups.google.com/group/clipperz.
> For more options, visit https://groups.google.com/d/optout.

[giulio...@gmail.com]

Hello Kamila,

unfortunately we don't have a sound solution yet for the code verification part of the problem.

Recently we have added a side feature that, although tacking a different problem, may (or may not) help you: in the account settings, you may now enable a "Device pin".

This 5 digit code will be used to encode and encrypt your credentials and store them on the local storage of your browser.

In this way you will only have to type the PIN to login.

Clearly (or better, hopefully), the security of the PIN is way lower than that of the passphrase; but as the data encoded with the PIN lives only on your computer, you may want to try its convenience.

Regards,

Giulio Cesare

On Wed, Jan 6, 2016 at 7:13 PM, Kamila Součková <kamiso...@gmail.com> wrote:

To unsubscribe from this group and stop receiving emails from it, send an email to clipperz+u...@googlegroups.com.

To post to this group, send email to clip...@googlegroups.com.

[giulio...@gmail.com]

Hello Mázsa,

we have long being trying to arrange the code in order to enable the use of the index.html file loaded from your computer, still accessing the data provided by the online application.

This worked for a little while, then browsers tighten the security policy, and now resources loaded with the "file://" protocol are considered "untrusted".

We are still looking for solutions to this critical problem, thought.

Regards,

Giulio Cesare

[Michael Smith]

I would like to see some type of two-factor authentication option as well, but would like to ensure privacy is maintained.  How about OTP, like a YubiKey?  You register, in your account, one or more YubiKeys (primary and a backup) and then each time you login you enter your passphrase, insert your YubiKey, press the magic button, and your OTP is inserted.  I believe a YubiKey would be anonymous.  Also, I know there is a server side component, but I don't know if it compromises anonymity in any way or the complexity of managing such a system.  

[Michael Smith]

As a recovery option (lost YubiKey or keys) you could allow if desired by the user, the use one of their OTP passwords that are stored in their Clipperz account.

[Marco Barulli]

Hi Michael,

thanks for your kind input.

A second factor of authentication would be indeed useful and appropriate for a service like Clipperz.

I'm not a big fan of hardware solutions, but we are looking at alternatives like Google Authenticator or similar.

Best,

Marco

--
Clipperz - keep it to yourself!
https://clipperz.is

Marco Barulli
email: ma...@clipperz.is
mobile: +49 176 8827 2185
skype: mbarulli

--

[Michael Smith]

Marco:

The reason I suggested YubiKey is that I think it would maintain privacy whereas GoogleAuthenticator or other 2FA options may not.  Depending on the number of users a hardware solution may not be a big deal, but obviously, it is hard to compete with the ease of use of something like Google Authenticator, Authy, DUO, ect.  Just throwing my two-cents worth in.  I am more interested in the privacy and security from an individual standpoint and that's where I hope your final 2FA solution if implemented will land.  Thank you for the consideration and thank you and your team for creating such an amazing application!!

Michael

[Michael Smith]

Just curious is 2FA on the roadmap or is this something you guys don't really have any plans on implementing.

[Ravi Sawhney]

Also long term user wanting TFA - feels unsecure without it.

[Michael Smith]

+1 for Google Authenticator.  You know, if it is an "option" the people who are ultra privacy-centric would have to use while those of us who are security-centric could.  All that said, thanks so much for creating such an outstanding product.

On Thursday, June 30, 2011 at 8:00:39 PM UTC-4, Ben wrote: