Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Two-Factor authentication (TOTP) #3712

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Conversation

nabokihms
Copy link
Member

Overview

This pull request implements two-factor authentication (2FA) in Dex. The 2FA data is securely stored within the OfflineSessions object, enhancing security for connectors that lack built-in 2FA support, such as LDAP and local connectors. Upon first login, users will save their 2FA settings using a QR code, after which they will use the saved 2FA for subsequent logins. Below is an example configuration for enabling 2FA:

# Configuration for the two-factor authentication
twoFactorAuthn:
  issuer: "dex"
  connectors:
    - mock

What this PR does / why we need it

Enhancing Dex with 2FA adds an additional layer of security, making unauthorized access significantly more difficult. This is particularly valuable for connectors like LDAP and local connectors that do not inherently support 2FA. By implementing 2FA, we align Dex with industry best practices for identity management, meet higher security compliance requirements, and ensure better protection for user data, thereby building greater trust with our users.

Special notes for your reviewer

image

image

Enhancing Dex with 2FA adds an additional layer of security, making unauthorized access significantly more difficult. This is particularly valuable for connectors like LDAP and local connectors that do not inherently support 2FA. By implementing 2FA, we align Dex with industry best practices for identity management, meet higher security compliance requirements, and ensure better protection for user data, thereby building greater trust with our users.

The 2FA data is securely stored within the `OfflineSessions` object and extends support to all configured connectors.

Signed-off-by: m.nabokikh <[email protected]>
@nabokihms nabokihms added the release-note/new-feature Release note: Exciting New Features label Aug 26, 2024
@nabokihms
Copy link
Member Author

closes #352

@nabokihms
Copy link
Member Author

closes #1547

@nabokihms
Copy link
Member Author

closes #1270

@sambonbonne
Copy link

sambonbonne commented Dec 3, 2024

I'm not a maintainer nor a reviewer so I'm not sure this is the best place to ask this, but would it be possible to display the "textual" code below the QR code?

This is useful when you can't scan the QR code, for example when your TOTP application is directly on your computer.

(Edit: typo)

@lanord
Copy link

lanord commented Dec 11, 2024

Do we know if we are going to see this merge in the near future ? This would be a great feature to see deployed. As more and more security requirement ask for 2FA on auth provider.

@nabokihms
Copy link
Member Author

@sambonbonne good addition, thanks!
@lanord I am willing to merge it this year after figuring out some API nuances.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
release-note/new-feature Release note: Exciting New Features
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants