GSOC 2020 - Elixir Idea #1

[Bruno Hass]

Hello everyone. My name is Bruno and I am a Brazilian Computer Science student at the University of Santa Catarina. I have used Elixir and Phoenix

during an intership for a couple of months.

I would like to tackle the idea regarding Two-Factor Authentication for Hex. I am still writing the proposal, but I would like to share my thoughts.

I am considering using POT and EQRCode as supporting libraries. My idea is to use Google Authenticator for 2FA, hence the QR Code lib.

For the server we would need to modify the Ecto User model to include the OTP random secret and add/modify the pages so the user

can register the OTP secret with Google Authenticator. As for the Hex client I guess we would need to modify the mix hex.publish flow so

the 2FA is required. And for rebar3 I am not really sure, since I am more familiar with Elixir than Erlang, but I would be happy if anyone could

point me in the right direction to get more info on this.

I am posting these ideas so I can get some feedback and find out if I am getting things wrong. I am glad to share my thoughts on this mail list and

I would like to thank you all for you attention in advance.

Best regards,

Bruno.

[toddr...@gmail.com]

Hi Bruno.

My name is Todd Resudek. I am a member of the Hex core team.

I currently have a pull request open (https://github.com/hexpm/hexpm/pull/851) for the first iteration of 2FA for Hex.

There are a few small remaining issues for this version that I expect to have completed in the next week. Incidentally, we are using pot and eqrcode, just as you suggested.

We will need help on the next version of 2FA though. This initial PR only supports two-factor on the hex.pm website, and only supports using an app (like Google Authenticator, or Authy.)

The future roadmap is to:

support 2FA when authenticating from the Hex CLI

add support for hardware-based keys (like the yubikey https://www.yubico.com/)

These are both very important, and also challenging. Your support on this work is greatly appreciated.

Please reach out to me if you have any additional questions. I am always happy to help.

Thanks,

TR

[Bruno Hass]

Hello Todd. This is very good to know. Thank you for your reply.

I will focus my research and proposal on these two points you mentioned then.

From what I understand, to support 2FA in the Hex CLI we would need to add the 2FA authentication to the Hex publish flow, first adding the API communiation to Hex with what you implemented on the server and then modifying the flow itself. I took a look at your PR and looks like there is already an endpoint for this, but the logic is for HTML rendering as well. So perhaps would be necessary to separate things?

About the second point, I am not very familiar with hardware-base keys. Is there any documentation and/or Erlang/Elixir libs that I should focus my attention on for now? Either from Yubico or another source.

Thank you again for the reply! I really appreciate it,

Bruno Hass