GoogleAuthenticatorX: Add 2-step verification to MODX manager login.

well, there are some alternatives for the mobile app.

Here is a Chrome extension version https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai

Here is a desktop app https://github.com/mclamp/JAuth/tree/master/Installers

Here is a HW kind token http://www.yubico.com/applications/internet-services/gmail/

Some oddities in the GoogleAuthenticatorX tab of a user...

What are the "Secret" and the "URI" for?

The URI looks a bit dodgy... otpauth://totp/admin::http://localhost/revo231//revo231/working/?secret=H5BOBZZ2F7PUJ5RI&issuer=Revo+2.3.1+Local

You will get the courtesy login with the old style (username & password only) allowed ONLY once after every secret reset (if courtesy login is enabled)

I assume you haven't used google 2-step verification before. In short it provides a 1 time extra pin code to be used and it changes every 30 seconds. You should have this enabled already on your gmail account.

The QR-code is only used once to share a secret between your mobile device and GoogleAuthenticatorX, later on the algorithm (TOTP) will calculate the 1 time pin code to match them (The 6 digits number changing on your phone every 30 seconds)

1. You should never share the secret code or keep it saved anywhere.
2. On the tab, the secret is provided as alternatively you can enter it manually in "Google Authenticator" mobile app instead of using the QR-code
3. The URI is a TOTP standard, not browsable and not hosted anywhere, it is there on screen just in case someone wants to regenerate the qr-code his own way.

Most important, the secret should never be sent via email, this is why came up with the courtesy login idea, because having the secret saved somewhere is worse than saving your password in a plain text file

NB. The algorithm TOTP is time based, so you have to be sure the server and mobile time and date are correct.

Well, think of my application this way.

Someone plays man in the middle attack and steals your credentials. With my application you do not need SSL to secure your MODX manager loging, because the attacker will have at most 30 seconds to login after that your credentials without the authentication code are useless to login. Even if they succeed to login within what's remained in the 30 seconds they can not log in again later because currently my application doesn't allow the user to reset his secret.

Yes, I think I understand how it works now. It's quite interesting, and an impressive implementation.

The only thing that disturbs me is that URL...

otpauth://totp/admin::http://localhost/revo231//revo231/working/?secret=H5BOBZZ2F7PUJ5RI&issuer=Revo+2.3.1+Local (and three odd characters followed, that the Forums didn't like at all)

Notice the duplication of the subdirectory /revo231/

Could this be because I'm using it in a subdirectory installation? A lot of extras that generate URLs have a problem with that particular corner-case at first.

I would think that anybody security-conscious enough to use this would have his and his Manager users' email encrypted with GPG or something, in which case sending the squiggly square thing by email wouldn't be a problem.

The desktop app is broken on OS X 10.

Firefox add-on here https://marketplace.firefox.com/app/gauth-authenticator/

Well, apparently it's not actually a browser add-on, it's a desktop app to generate the keys every 30 seconds. [ed. note: sottwell last edited this post 9 years, 7 months ago.]

It's quite interesting, and an impressive implementation.

That's a valuable testimonial for me, thanks.

The only thing that disturbs me is that URL...

otpauth://totp/admin::http://localhost/revo231//revo231/working/?secret=H5BOBZZ2F7PUJ5RI&issuer=Revo+2.3.1+Local (and three odd characters followed, that the Forums didn't like at all)

Notice the duplication of the subdirectory /revo231/

Could this be because I'm using it in a subdirectory installation? A lot of extras that generate URLs have a problem with that particular corner-case at first.

That's a cosmetic issue in my code, please neglect it, it has absolutely no effect on the functionality; but (you can create an issue on github for that) I will fix it then

I would think that anybody security-conscious enough to use this would have his and his Manager users' email encrypted with GPG or something, in which case sending the squiggly square thing by email wouldn't be a problem.

As i told you in the PM I'm a security expert, so from security standards perspective, sending the secret by email is the worst and most wrong thing to do. I implemented the courtesy login which should be the way to go, and planning to remove emailing the secret (QR-code) functionality in a future release.

I wanted to change many things, but from the nature of my job, i would never be satisfied with the code which will end up that it won't be ever released, so i made this release candidate, and will improve things in the future. As said, all depends on the interaction from users about this extra, if the community will be interested i will improve things rapidly and frequently.

The desktop app is broken on OS X 10.

Firefox add-on here https://marketplace.firefox.com/app/gauth-authenticator/

Well, apparently it's not actually a browser add-on, it's a desktop app to generate the keys every 30 seconds.

I never used the desktop apps or browser extensions, this is totally not secure at all, i mentioned them for the sake of presentation. only, a mobile device should be used for the sake of security. Because: Mobile devices application can store data in secure storage which only that app can access (with exceptions) so most malware won't be easily stealing the secret.

Please submit all your ideas, defects, concerns, and feature requests on github, from there I will be able to track and improve.

The more I work with this the more impressed I am. The login form is modified to add a field. Each user has extended fields added, and a new tab. A very professional job, and a good idea.

I just don't like cellphones. Mine is usually sitting around somewhere gathering dust as dead as a doornail. I'm a dinosaur from the days when a 20-party line meant you did not spend hours on the phone as a teenager, and this constant-on business makes me nervous.

The more I work with this the more impressed I am. The login form is modified to add a field. Each user has extended fields added, and a new tab. A very professional job, and a good idea.

Wow, didn't expect this kind of review from an expert like you, thanks.

Well, phones nowadays are in everyone hands all the time, and they are used for every kind of purpose. Google Authenticator is supported natively on (iPhones, Android, and BlackBerry), if the end user doesn't have a smart phone then the admin should consider providing them with a hardware token (I personally worked only with virisign token not Google Authenticator compatible)

My father in law went to buy a phone recently of course he wanted a not-smart one, but he found all phones are smart OR the other options, was pensionaries phone with 1 line LCD screen and huge numerical sized buttons.

I don't like the extended fields, In next release there will be a custom table for security reasons. (issue already on github)

I've updated github wiki, and added screen-shots there, I need feedbacks for improvements, and i need a clear and well written end-users guide to explain how to install the mobile application and configure it.

I'm not saying this is full replacement of SSL, but makes MODX manager quite secure as long as the secret is kept only in DB and never stored anywhere else (beside the secured storage of the mobile device)

The only problem I had was understanding just what was going on. I've read of the principle involved - two stages, something you know (a password) and something you have (a cellphone)

We used something very similar to this back in the Dark Ages when I was in the US Navy. Every night just at midnight somebody in the cryptography room removed the day's punched card and replaced it with a new one. That card contained the code for generating the day's encryption keys. The whole business took up a whole small room - I've slept in smaller bedrooms. And now we do it with web apps and cell phones. I wonder what we'll be doing 40 years from now.