The goal of this issue is to discuss and plan the work needed to add Two Factor Authentication in Matomo.
now documented in Security guide
Support time-based one-time password (TOTP) app(s) such as Google Authenticator (see for example this user guide for Github as good example). application automatically generates an authentication code that changes after a certain period of time. Other auth apps must be supported eg. 1Password, Authy, LastPass Authenticator
Require two-factor authentication for everyone.with an inline text eg.
All users, including Super Users, who do not have two-factor authentication enabled for their account will receive an email notifying them about the change and will be required to activate 2FA when they next login.. When enabled, users will be required to setup 2FA on login and won't be able to access any screens or API until then.
token_auth, will API users need to do anything different?
Currently we have this plugin available for Matomo with support for Google Authenticator: https://plugins.matomo.org/GoogleAuthenticator which can be likely used as a base for the work.
For API... we could eg generate a token which also requests the two factor code. This relates to https://github.com/matomo-org/matomo/issues/6559 ?
In a V1 we may do nothing since it would mean quite a big refactoring. Could also still accept the token_auth if session is authenticated, to not end up in a huge UI refactoring.
See eg here how it works for Github: https://developer.github.com/v3/auth/#working-with-two-factor-authentication
logmefeature certainly needs to be adjusted
UsersManager.getTokenAuthdefinitely needs 2FA
fyi in mvp I won't be adding the SMS support feature.
We'll also need to adjust the mobile app to support entering a token
fyi: it wasn't mentioned in the requirements but mention it anyway, for now I won't implement "remember this device" as it's partially tricky. if needed, this can be added later. It's more secure though in the end to always require entering auth code.
Just FYI: Implemented the support for 2FA in the mobile app and the next release of the mobile app will already support it.
FYI: As mentioned earlier when a user authenticates through an auth token, we currently won't require to verify with the authentication code. This also applies when embedding for example widgets.
I have some logic that replaces a user's auth token with some random auth token in the DOM to ensure to not leak the token when a user enters correct login details but hasn't verified the auth token.
It wouldn't be too trivial to apply this to API requests as our UI is based on the API and sends the token in API requests which means we would need to change a lot of the UI how this works currently. So it won't even easily be possible to offer a setting to require the auth code for the API.