Two Factor Authentication in core + new setting "Require two-factor authentication for everyone."

[mattab]

The goal of this issue is to discuss and plan the work needed to add Two Factor Authentication in Matomo.
now documented in Security guide

Requirements

• Support SMS delivery for 2FA codes (reusing our Mobile Messaging feature of connecting a phone for SMS messages)

• Support time-based one-time password (TOTP) app(s) such as Google Authenticator (see for example this user guide for Github as good example). application automatically generates an authentication code that changes after a certain period of time. Other auth apps must be supported eg. 1Password, Authy, LastPass Authenticator

• Recovery codes feature for when users lose access to the device and can't receive codes

• User should be able to see a Security page, or section within Personal settings, to 1) Setup authenticator app, 2) Configure SMS delivery phone number, 3) View Recovery codes

• Super Users should see, in the Edit User screen, and in the Listing of users, when a user has 2FA enabled, eg. via an indicator 2FA ☓ or 2FA ✓

• A Super User will have the ability to Require two-factor authentication for everyone. with an inline text eg. All users, including Super Users, who do not have two-factor authentication enabled for their account will receive an email notifying them about the change and will be required to activate 2FA when they next login. . When enabled, users will be required to setup 2FA on login and won't be able to access any screens or API until then.

• How will 2FA support impact the API and the token_auth, will API users need to do anything different?

Currently we have this plugin available for Matomo with support for Google Authenticator: https://plugins.matomo.org/GoogleAuthenticator which can be likely used as a base for the work.

[tsteur]

For API... we could eg generate a token which also requests the two factor code. This relates to #6559 ?

In a V1 we may do nothing since it would mean quite a big refactoring. Could also still accept the token_auth if session is authenticated, to not end up in a huge UI refactoring.

See eg here how it works for Github: https://developer.github.com/v3/auth/#working-with-two-factor-authentication

• The mobile app will need to be adjusted as well.
• The logme feature certainly needs to be adjusted
• UsersManager.getTokenAuth definitely needs 2FA

[tsteur]

fyi in mvp I won't be adding the SMS support feature.

[tsteur]

We'll also need to adjust the mobile app to support entering a token

[tsteur]

fyi: it wasn't mentioned in the requirements but mention it anyway, for now I won't implement "remember this device" as it's partially tricky. if needed, this can be added later. It's more secure though in the end to always require entering auth code.

[tsteur]

Just FYI: Implemented the support for 2FA in the mobile app and the next release of the mobile app will already support it.

[tsteur]

FYI: As mentioned earlier when a user authenticates through an auth token, we currently won't require to verify with the authentication code. This also applies when embedding for example widgets.

I have some logic that replaces a user's auth token with some random auth token in the DOM to ensure to not leak the token when a user enters correct login details but hasn't verified the auth token.

It wouldn't be too trivial to apply this to API requests as our UI is based on the API and sends the token in API requests which means we would need to change a lot of the UI how this works currently. So it won't even easily be possible to offer a setting to require the auth code for the API.