MultiFactor authentication in Rdiffweb

[Patrik Dufresne]

Hello,

For those of you keeping track of recent development, you might have notice many changes related to security improvement. My intention is to make Rdiffweb more secure and robust against hackers. In the coming month, I plan to work on Multi-Factor Authentication as a way to improve the security of the account.

What are you tough on the subject ?

1. I intend to enable/disable 2FA at server level using a configuration parameter. When enabled, all users will be forced to use 2FA.

2. 2FA will use the user's email to send a One Time Password that will be required during the authentication process.

3. Once a valid One Time Password is used will mark that browser as trusted using user session.

3. When using a trusted browser, user will not be prompted for 2FA on every login.

4. Trusted browser will expire after a configurable period of time.

I'm mostly following OWASP recommendations on the subject.