Protecting your Omeka S installation and data is important. Currently there is basic security using loginname and password (which should always be served over https). To avoid brute-force attacks the rate of login attempts for each IP can be limited via the Lockout module. I’d really like to be able to protect accounts of at least Global Administrators with Two factor authentication (2FA).
I hope, Omeka S module developers in the core team or community could build such a 2FA module. To aide, a description of userflows to develop is given below.
Enable/disable 2FA userflow
When a user edits their profile there’s a ‘Two factor authentication’ tab.
When 2FA is not enabled on the account, the message “Two factor authentication is not enable.” is shown with a “Enable Two factor authentication” button. This button leads to a screen with an explanation (and QR code) like:
Enable two factor authentication (2FA) as follows:
Launch Google Authenticator on your smartphone/tablet. [ * Don’t have Google Authenticator app installed on your smartphone/tablet? Install the free Google Authenticator app first. This can be found in Google’s Play Store (if you have an Android phone) and in Apple’s App Store (if you have an iPhone or iPad). ]
In Google Authenticator, click on ‘Add account’, choose ‘Scan a QR code’ and point the camera of your smartphone/tablet at the personal QR code shown here.
[QR code image]
- If you see the Omeka S account {display name} ({email}) in Google Authenticator, confirm its use by clicking the button below.
button [Confirm 2FA]
After the users clicks the confirm button the 2FA 6 digits should be asked. If entered correctly, the OTP secret is stored in the database for the user. The ‘Two factor authentication’ tab in the user edit screen now shows the message “Two factor authentication is enabled.” with a “Disable two factor authentication” button/
Login userflow
After the user entered their e-mail and password and hit the login button, the credentials are checked and if correct a lookup is done to see if the user has enabled 2FA. If it’s enabled an input form (or 6, one for each digit) should be shown to the user (and as nice-to-have: a checkbox to skip this step the next 2 weeks). After the user submits the 6 digits this is checked (*). If the check is succesfull only then the user is logged in, if not, the user is not logged in.
(*) I suggest to use the TOTP / HOTP library in PHP.