Koha and 2 factor authentication
There seems to be some interest in adding 2 factor authentication to Koha. We are trying to find out what would be the most practical and easiest way to implement 2fa for Koha combined with what would be most useful for libraries that would actually *use* 2fa. The bug report filed for it is https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Basically, at this point we've come up with two ideas: 1) Use Auth::GoogleAuthenticator 2) Use PrivacyIdea ( https://www.privacyidea.org/ ) Implementing GoogleAuthenticator would be much simpler I think. However, my thought is the same users that are concerned about 2fa are the same users that are concerned about privacy, and may not be interested in it simply because it means giving at least some data to Google. PrivacyIdea on the other hand would be more work for both the developer and the system admin since it is a completely separate package that would require installation and maintenance independent of Koha itself. However, it is also much more powerful and can offer a myriad of 2FA options that GoogleAuthenticator cannot. On the developer side, OTRS which is also written in Perl has implemented and may or may not have something useful we can crib from it ( https://github.com/privacyidea/privacyidea/tree/master/authmodules/OTRS ). So, what does everything think? If you want 2FA, would GoogleAuthenticator be a reasonable solution? Kyle http://www.kylehall.info ByWater Solutions ( http://bywatersolutions.com ) Meadville Public Library ( http://www.meadvillelibrary.org ) Crawford County Federated Library System ( http://www.ccfls.org )
Greetings, 2 Factor Authentication is a great idea. Google Authenticator would be nice. That does work for a majority of the organization(s) I work with. However, since they are spread all over the world, some places have Google blocked or limited. As such, perhaps the latter is better. GPML, Mark Tompsett -----Original Message----- From: Kyle Hall Sent: Thursday, April 19, 2018 1:52 PM To: Koha Subject: [Koha] Koha and 2 factor authentication There seems to be some interest in adding 2 factor authentication to Koha. We are trying to find out what would be the most practical and easiest way to implement 2fa for Koha combined with what would be most useful for libraries that would actually *use* 2fa. The bug report filed for it is https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 Basically, at this point we've come up with two ideas: 1) Use Auth::GoogleAuthenticator 2) Use PrivacyIdea ( https://www.privacyidea.org/ ) Implementing GoogleAuthenticator would be much simpler I think. However, my thought is the same users that are concerned about 2fa are the same users that are concerned about privacy, and may not be interested in it simply because it means giving at least some data to Google. PrivacyIdea on the other hand would be more work for both the developer and the system admin since it is a completely separate package that would require installation and maintenance independent of Koha itself. However, it is also much more powerful and can offer a myriad of 2FA options that GoogleAuthenticator cannot. On the developer side, OTRS which is also written in Perl has implemented and may or may not have something useful we can crib from it ( https://github.com/privacyidea/privacyidea/tree/master/authmodules/OTRS ). So, what does everything think? If you want 2FA, would GoogleAuthenticator be a reasonable solution? Kyle http://www.kylehall.info ByWater Solutions ( http://bywatersolutions.com ) Meadville Public Library ( http://www.meadvillelibrary.org ) Crawford County Federated Library System ( http://www.ccfls.org ) _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Hey Kyle You already guessed my response, google authenticator would be ok, as a choice. But not the ideal option. We ideally will support something that can handle things like yubikey as well. So ok for Google as an option but not the only option, ie a system that supports other systems as well as authenticator Chris On 20 April 2018 5:52:42 AM NZST, Kyle Hall <kyle.m.hall@gmail.com> wrote:
There seems to be some interest in adding 2 factor authentication to Koha. We are trying to find out what would be the most practical and easiest way to implement 2fa for Koha combined with what would be most useful for libraries that would actually *use* 2fa.
The bug report filed for it is https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476
Basically, at this point we've come up with two ideas: 1) Use Auth::GoogleAuthenticator 2) Use PrivacyIdea ( https://www.privacyidea.org/ )
Implementing GoogleAuthenticator would be much simpler I think. However, my thought is the same users that are concerned about 2fa are the same users that are concerned about privacy, and may not be interested in it simply because it means giving at least some data to Google.
PrivacyIdea on the other hand would be more work for both the developer and the system admin since it is a completely separate package that would require installation and maintenance independent of Koha itself. However, it is also much more powerful and can offer a myriad of 2FA options that GoogleAuthenticator cannot. On the developer side, OTRS which is also written in Perl has implemented and may or may not have something useful we can crib from it ( https://github.com/privacyidea/privacyidea/tree/master/authmodules/OTRS ).
So, what does everything think? If you want 2FA, would GoogleAuthenticator be a reasonable solution?
Kyle
http://www.kylehall.info ByWater Solutions ( http://bywatersolutions.com ) Meadville Public Library ( http://www.meadvillelibrary.org ) Crawford County Federated Library System ( http://www.ccfls.org ) _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
The PRIM site mentions two alternatives to Google Authenticator - andOTP (Android only) and freeOTP (Android and iOS): https://prism-break.org/en/all/#authentication Not sure how these would work on the server side with Koha, but just throwing it out there... David Nind David Nind | david.nind@gmail.com PO Box 12367, Thorndon, Wellington, New Zealand 6144 m. +64 21 0537 847 On 20 April 2018 at 05:52, Kyle Hall <kyle.m.hall@gmail.com> wrote:
There seems to be some interest in adding 2 factor authentication to Koha. We are trying to find out what would be the most practical and easiest way to implement 2fa for Koha combined with what would be most useful for libraries that would actually *use* 2fa.
The bug report filed for it is https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476
Basically, at this point we've come up with two ideas: 1) Use Auth::GoogleAuthenticator 2) Use PrivacyIdea ( https://www.privacyidea.org/ )
Implementing GoogleAuthenticator would be much simpler I think. However, my thought is the same users that are concerned about 2fa are the same users that are concerned about privacy, and may not be interested in it simply because it means giving at least some data to Google.
PrivacyIdea on the other hand would be more work for both the developer and the system admin since it is a completely separate package that would require installation and maintenance independent of Koha itself. However, it is also much more powerful and can offer a myriad of 2FA options that GoogleAuthenticator cannot. On the developer side, OTRS which is also written in Perl has implemented and may or may not have something useful we can crib from it ( https://github.com/privacyidea/privacyidea/tree/master/authmodules/OTRS ).
So, what does everything think? If you want 2FA, would GoogleAuthenticator be a reasonable solution?
Kyle
http://www.kylehall.info ByWater Solutions ( http://bywatersolutions.com ) Meadville Public Library ( http://www.meadvillelibrary.org ) Crawford County Federated Library System ( http://www.ccfls.org ) _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
More privacy = More freedom More independent tools = More freedom Less contract agreements = More transparency for user El 19/04/18 a les 19:52, Kyle Hall ha escrit:
There seems to be some interest in adding 2 factor authentication to Koha. We are trying to find out what would be the most practical and easiest way to implement 2fa for Koha combined with what would be most useful for libraries that would actually *use* 2fa.
The bug report filed for it is https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476
Basically, at this point we've come up with two ideas: 1) Use Auth::GoogleAuthenticator 2) Use PrivacyIdea ( https://www.privacyidea.org/ )
Implementing GoogleAuthenticator would be much simpler I think. However, my thought is the same users that are concerned about 2fa are the same users that are concerned about privacy, and may not be interested in it simply because it means giving at least some data to Google.
PrivacyIdea on the other hand would be more work for both the developer and the system admin since it is a completely separate package that would require installation and maintenance independent of Koha itself. However, it is also much more powerful and can offer a myriad of 2FA options that GoogleAuthenticator cannot. On the developer side, OTRS which is also written in Perl has implemented and may or may not have something useful we can crib from it ( https://github.com/privacyidea/privacyidea/tree/master/authmodules/OTRS ).
So, what does everything think? If you want 2FA, would GoogleAuthenticator be a reasonable solution?
Kyle
http://www.kylehall.info ByWater Solutions ( http://bywatersolutions.com ) Meadville Public Library ( http://www.meadvillelibrary.org ) Crawford County Federated Library System ( http://www.ccfls.org ) _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Hi, What do you think about hardware 2fa tools like Yubikey? Btw great replacement for Google Authentificator is Authy: screen protected by PIN, secure backup. Bye Mike pá 20. 4. 2018 v 15:45 odesílatel Narcis Garcia <informatica@actiu.net> napsal:
More privacy = More freedom More independent tools = More freedom Less contract agreements = More transparency for user
El 19/04/18 a les 19:52, Kyle Hall ha escrit:
There seems to be some interest in adding 2 factor authentication to Koha. We are trying to find out what would be the most practical and easiest way to implement 2fa for Koha combined with what would be most useful for libraries that would actually *use* 2fa.
The bug report filed for it is https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476
Basically, at this point we've come up with two ideas: 1) Use Auth::GoogleAuthenticator 2) Use PrivacyIdea ( https://www.privacyidea.org/ )
Implementing GoogleAuthenticator would be much simpler I think. However, my thought is the same users that are concerned about 2fa are the same users that are concerned about privacy, and may not be interested in it simply because it means giving at least some data to Google.
PrivacyIdea on the other hand would be more work for both the developer and the system admin since it is a completely separate package that would require installation and maintenance independent of Koha itself. However, it is also much more powerful and can offer a myriad of 2FA options that GoogleAuthenticator cannot. On the developer side, OTRS which is also written in Perl has implemented and may or may not have something useful we can crib from it ( https://github.com/privacyidea/privacyidea/tree/master/authmodules/OTRS ).
So, what does everything think? If you want 2FA, would GoogleAuthenticator be a reasonable solution?
Kyle
http://www.kylehall.info ByWater Solutions ( http://bywatersolutions.com ) Meadville Public Library ( http://www.meadvillelibrary.org ) Crawford County Federated Library System ( http://www.ccfls.org ) _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Any inependent tool (without 3rd parties) is better. El 23/04/18 a les 14:57, Mike D. ha escrit:
Hi, What do you think about hardware 2fa tools like Yubikey? Btw great replacement for Google Authentificator is Authy: screen protected by PIN, secure backup.
Bye
Mike pá 20. 4. 2018 v 15:45 odesílatel Narcis Garcia <informatica@actiu.net <mailto:informatica@actiu.net>> napsal:
More privacy = More freedom More independent tools = More freedom Less contract agreements = More transparency for user
El 19/04/18 a les 19:52, Kyle Hall ha escrit: > There seems to be some interest in adding 2 factor authentication to Koha. > We are trying to find out what would be the most practical and easiest way > to implement 2fa for Koha combined with what would be most useful for > libraries that would actually *use* 2fa. > > The bug report filed for it is > https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 > > Basically, at this point we've come up with two ideas: > 1) Use Auth::GoogleAuthenticator > 2) Use PrivacyIdea ( https://www.privacyidea.org/ ) > > Implementing GoogleAuthenticator would be much simpler I think. However, my > thought is the same users that are concerned about 2fa are the same users > that are concerned about privacy, and may not be interested in it simply > because it means giving at least some data to Google. > > PrivacyIdea on the other hand would be more work for both the developer and > the system admin since it is a completely separate package that would > require installation and maintenance independent of Koha itself. However, > it is also much more powerful and can offer a myriad of 2FA options that > GoogleAuthenticator cannot. On the developer side, OTRS which is also > written in Perl has implemented and may or may not have something useful we > can crib from it ( > https://github.com/privacyidea/privacyidea/tree/master/authmodules/OTRS ). > > So, what does everything think? If you want 2FA, would GoogleAuthenticator > be a reasonable solution? > > Kyle > > > http://www.kylehall.info > ByWater Solutions ( http://bywatersolutions.com ) > Meadville Public Library ( http://www.meadvillelibrary.org ) > Crawford County Federated Library System ( http://www.ccfls.org ) > _______________________________________________ > Koha mailing list http://koha-community.org > Koha@lists.katipo.co.nz <mailto:Koha@lists.katipo.co.nz> > https://lists.katipo.co.nz/mailman/listinfo/koha > _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz <mailto:Koha@lists.katipo.co.nz> https://lists.katipo.co.nz/mailman/listinfo/koha
Even though I think it's a good idea, I'm struggling to think of a practical way 2FA could be used in a real life scenario on the staff side to be honest, though perhaps in small/specialist libraries it might work. For OPAC side I think any of the tools mentioned would work fine. I'm not familiar with implementing it from the server side but as a 2FA fan it's rare to see the actual app specified: usually it's just 'scan this QR code'. For staff side I do think that a hardware solution would be more practical. U2F doesn't *have* to use YubiKey, there are plenty of FIDO certified authentication products: https://fidoalliance.org/certification/fido-certified-products/ Not sure it that's at all helpful... Hugh Rundle Library Systems & Resource Coordinator Community Learning & Participation Brimbank City Council Brimbank Community and Civic Centre - 301 Hampshire Road, Sunshine T +61 3 9249 4170 M +61 437 734 108 F +61 3 9249 4351 www.brimbank.vic.gov.au -----Original Message----- From: Koha [mailto:koha-bounces@lists.katipo.co.nz] On Behalf Of Narcis Garcia Sent: Wednesday, 2 May 2018 5:33 PM To: koha@lists.katipo.co.nz Subject: Re: [Koha] Koha and 2 factor authentication Any inependent tool (without 3rd parties) is better. El 23/04/18 a les 14:57, Mike D. ha escrit:
Hi, What do you think about hardware 2fa tools like Yubikey? Btw great replacement for Google Authentificator is Authy: screen protected by PIN, secure backup.
Bye
Mike pá 20. 4. 2018 v 15:45 odesílatel Narcis Garcia <informatica@actiu.net <mailto:informatica@actiu.net>> napsal:
More privacy = More freedom More independent tools = More freedom Less contract agreements = More transparency for user
El 19/04/18 a les 19:52, Kyle Hall ha escrit: > There seems to be some interest in adding 2 factor authentication to Koha. > We are trying to find out what would be the most practical and easiest way > to implement 2fa for Koha combined with what would be most useful for > libraries that would actually *use* 2fa. > > The bug report filed for it is > https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 > > Basically, at this point we've come up with two ideas: > 1) Use Auth::GoogleAuthenticator > 2) Use PrivacyIdea ( https://www.privacyidea.org/ ) > > Implementing GoogleAuthenticator would be much simpler I think. However, my > thought is the same users that are concerned about 2fa are the same users > that are concerned about privacy, and may not be interested in it simply > because it means giving at least some data to Google. > > PrivacyIdea on the other hand would be more work for both the developer and > the system admin since it is a completely separate package that would > require installation and maintenance independent of Koha itself. However, > it is also much more powerful and can offer a myriad of 2FA options that > GoogleAuthenticator cannot. On the developer side, OTRS which is also > written in Perl has implemented and may or may not have something useful we > can crib from it ( > https://github.com/privacyidea/privacyidea/tree/master/authmodules/OTRS ). > > So, what does everything think? If you want 2FA, would GoogleAuthenticator > be a reasonable solution? > > Kyle > > > http://www.kylehall.info > ByWater Solutions ( http://bywatersolutions.com ) > Meadville Public Library ( http://www.meadvillelibrary.org ) > Crawford County Federated Library System ( http://www.ccfls.org ) > _______________________________________________ > Koha mailing list http://koha-community.org > Koha@lists.katipo.co.nz <mailto:Koha@lists.katipo.co.nz> > https://lists.katipo.co.nz/mailman/listinfo/koha > _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz <mailto:Koha@lists.katipo.co.nz> https://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
Hello, I use smartphone app or SMS for code authentification. And Yubikey. It's very cool, but itsn't for free. More problematic PC's are shared at staff desks. If somebody login "in bacstage" can choose "don't ask on this computex nex XX days". BR Mike st 16. 5. 2018 v 9:24 odesílatel Hugh Rundle <HughR@brimbank.vic.gov.au> napsal:
Even though I think it's a good idea, I'm struggling to think of a practical way 2FA could be used in a real life scenario on the staff side to be honest, though perhaps in small/specialist libraries it might work.
For OPAC side I think any of the tools mentioned would work fine. I'm not familiar with implementing it from the server side but as a 2FA fan it's rare to see the actual app specified: usually it's just 'scan this QR code'.
For staff side I do think that a hardware solution would be more practical. U2F doesn't *have* to use YubiKey, there are plenty of FIDO certified authentication products: https://fidoalliance.org/certification/fido-certified-products/
Not sure it that's at all helpful...
Hugh Rundle Library Systems & Resource Coordinator Community Learning & Participation
Brimbank City Council Brimbank Community and Civic Centre - 301 Hampshire Road, Sunshine <https://maps.google.com/?q=301+Hampshire+Road,+Sunshine&entry=gmail&source=g>
T +61 3 9249 4170 <+61%203%209249%204170> M +61 437 734 108 <+61%20437%20734%20108> F +61 3 9249 4351 <+61%203%209249%204351>
www.brimbank.vic.gov.au -----Original Message----- From: Koha [mailto:koha-bounces@lists.katipo.co.nz] On Behalf Of Narcis Garcia Sent: Wednesday, 2 May 2018 5:33 PM To: koha@lists.katipo.co.nz Subject: Re: [Koha] Koha and 2 factor authentication
Any inependent tool (without 3rd parties) is better.
El 23/04/18 a les 14:57, Mike D. ha escrit:
Hi, What do you think about hardware 2fa tools like Yubikey? Btw great replacement for Google Authentificator is Authy: screen protected by PIN, secure backup.
Bye
Mike pá 20. 4. 2018 v 15:45 odesílatel Narcis Garcia <informatica@actiu.net <mailto:informatica@actiu.net>> napsal:
More privacy = More freedom More independent tools = More freedom Less contract agreements = More transparency for user
El 19/04/18 a les 19:52, Kyle Hall ha escrit: > There seems to be some interest in adding 2 factor authentication to Koha. > We are trying to find out what would be the most practical and easiest way > to implement 2fa for Koha combined with what would be most useful for > libraries that would actually *use* 2fa. > > The bug report filed for it is > https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20476 > > Basically, at this point we've come up with two ideas: > 1) Use Auth::GoogleAuthenticator > 2) Use PrivacyIdea ( https://www.privacyidea.org/ ) > > Implementing GoogleAuthenticator would be much simpler I think. However, my > thought is the same users that are concerned about 2fa are the same users > that are concerned about privacy, and may not be interested in it simply > because it means giving at least some data to Google. > > PrivacyIdea on the other hand would be more work for both the developer and > the system admin since it is a completely separate package that would > require installation and maintenance independent of Koha itself. However, > it is also much more powerful and can offer a myriad of 2FA options that > GoogleAuthenticator cannot. On the developer side, OTRS which is also > written in Perl has implemented and may or may not have something useful we > can crib from it ( >
https://github.com/privacyidea/privacyidea/tree/master/authmodules/OTRS
). > > So, what does everything think? If you want 2FA, would GoogleAuthenticator > be a reasonable solution? > > Kyle > > > http://www.kylehall.info > ByWater Solutions ( http://bywatersolutions.com ) > Meadville Public Library ( http://www.meadvillelibrary.org ) > Crawford County Federated Library System ( http://www.ccfls.org ) > _______________________________________________ > Koha mailing list http://koha-community.org > Koha@lists.katipo.co.nz <mailto:Koha@lists.katipo.co.nz> > https://lists.katipo.co.nz/mailman/listinfo/koha > _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz <mailto:Koha@lists.katipo.co.nz> https://lists.katipo.co.nz/mailman/listinfo/koha
_______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz https://lists.katipo.co.nz/mailman/listinfo/koha
participants (7)
-
Chris Cormack -
David Nind -
Hugh Rundle -
Kyle Hall -
Mark Tompsett -
Mike D. -
Narcis Garcia