View Issue Details

Jump to NotesJump to History
This bug affects 1 person(s).
 6
IDProjectCategoryView StatusDate SubmittedLast Update
18352Bug reportsPluginspublic2022-09-14 19:172025-03-31 17:13
ReporterMSouad Assigned Togabrieljenik  
PriorityhighSeverityblock 
Status assignedResolutionopen 
Summary18352: setting up 2FA with YubiKey
Description

difficulties setting up 2FA with YubiKey.
It works just fine with the general account to log in to https://www.limesurvey.org/ but doesn't work with the admin login (https://firm-ifdh.limesurvey.net/admin).

how then to make sure the 2FA works with YubiKey

Steps To Reproduce

Steps to reproduce

install the plugin (cloud service)
try to configure the 2FA,

Expected result

(Write here what you expected to happen)

Actual result

The plugin keeps on displaying the QR code, even after selecting YubiKey as authentication tool

TagsNo tags attached.
Bug heat6
Complete LimeSurvey version number (& build)Version 5.3.31
I will donate to the project if issue is resolvedNo
Browser
Database type & version447
Server OS (if known)
Webserver software & version (if known)
PHP VersionN/A

Users monitoring this issue

There are no users monitoring this issue.

Activities

c_schmitz

c_schmitz

2022-10-05 19:57

administrator   ~72130

The current 2FA options are repetitive or not supported.
Remove all 2FA options except for two:

  • TOTP (Google Authenticator, Authy, etc.)
  • Yubikey OTP

Yubikey is currently not implemented but most easy to fix, because it is a simple REST call.
chrie

chrie

2023-06-22 10:39

reporter   ~75783

The issue still exists in Version 5.6.25. It was tested in the cloud version.
It doesn't fit maybe right here but account.limesurvey.org should also get the option to use MFA.
gabrieljenik

gabrieljenik

2023-07-07 23:03

manager   ~75987

We believe the Yubikey story could be on its own ticket.

The Yubikey seems to fit on a different plugin.
1) The user flow for setting Yubikey is a bit different.
Instead of having LS to generate a QR code for inputing in the app, I guess we would need to enter something from the key into LS, right?
2) The token generates from the key I believe has a different validation method.

Also, regarding

Yubikey is currently not implemented but most easy to fix, because it is a simple REST call.

Do you have some docs around it?
We found this, but not sure it is the same as you thought.

As the Yubikey is not implemented, we though of removing that option.
We also though about completing the story just by "removing all 2FA options except for TOTP", but that would leave only 1 option. Is that OK?
c_schmitz

c_schmitz

2025-02-18 18:16

administrator   ~82080

Last edited: 2025-02-18 18:17

@gabrieljenik See https://developers.yubico.com/OTP/Specifications/OTP_validation_protocol.html
gabrieljenik

gabrieljenik

2025-03-17 15:07

manager   ~82259

As to validate the flow...

When the user sets up 2FA, they must choose between "TOTP" and "YubiKey." If they choose "TOTP," it works the same way as it does today (showing a QR code, the user scans it with their authentication app, and enters the code into Lime). If they choose "YubiKey," instead of displaying a QR code, we only show an input field where the user "writes" the code generated by their YubiKey (by tapping it).

For this initial setup, we first need to validate the code against YubiCloud and then store the Public ID (the first 6 characters of the code).

The Public ID would be stored in the "secretKey" field of the "twoFactorUsers" table (the same field used for TOTP) and would be used during each login to verify that the entered code matches that user.

To validate the code, we need to make a request like this: 

https://api.yubico.com/wsapi/2.0/verify?id=${clientId}&otp=${otp}&nonce=${generateNonce()}

For example: 

https://api.yubico.com/wsapi/2.0/verify?otp=vvvvvvcucrlcietctckflvnncdgckubflugerlnr&id=87&timeout=8&sl=50&nonce=askjdnkajsndjkasndkjsnad

This same validation needs to be performed at each login with the code entered at that moment.

Now... to perform this validation, we need the Client ID. And from what I understand, this Client ID is something that must be configured at the plugin level, and in order to obtain it, the admin also needs a YubiKey. Is that correct?
c_schmitz

c_schmitz

2025-03-19 18:03

administrator   ~82294

Last edited: 2025-03-19 18:21

Yes, when you sign up for the API at https://upgrade.yubico.com/getapikey/ you get a Client ID and a Secret Key.
THe client ID is used in the URL and the Secret Key is to HMAC sign the request, as far as I understood. (the h param)

Issue History

Date Modified Username Field Change
2022-09-14 19:17 MSouad New Issue
2022-09-15 09:30 c_schmitz Assigned To => gabrieljenik
2022-09-15 09:30 c_schmitz Status new => assigned
2022-09-15 09:30 c_schmitz Priority none => urgent
2022-09-15 09:31 c_schmitz Assigned To gabrieljenik => c_schmitz
2022-10-05 19:57 c_schmitz Note Added: 72130
2022-10-05 19:57 c_schmitz Bug heat 0 => 2
2023-06-16 10:24 c_schmitz Assigned To c_schmitz => gabrieljenik
2023-06-22 10:39 chrie Note Added: 75783
2023-06-22 10:39 chrie Bug heat 2 => 4
2023-06-22 14:35 gabrieljenik Assigned To gabrieljenik => p_teichmann
2023-06-22 18:00 p_teichmann Assigned To p_teichmann => gabrieljenik
2023-06-22 18:11 gabrieljenik Priority urgent => high
2023-07-07 23:03 gabrieljenik Note Added: 75987
2023-07-07 23:03 gabrieljenik Bug heat 4 => 6
2023-07-07 23:04 gabrieljenik Status assigned => feedback
2025-02-18 18:16 c_schmitz Note Added: 82080
2025-02-18 18:17 c_schmitz Note Edited: 82080
2025-03-17 15:07 gabrieljenik Note Added: 82259
2025-03-19 18:03 c_schmitz Note Added: 82294
2025-03-19 18:03 c_schmitz Note Edited: 82294
2025-03-19 18:19 c_schmitz Note Edited: 82294
2025-03-19 18:21 c_schmitz Note Edited: 82294
2025-03-19 20:12 c_schmitz Status feedback => assigned
2025-03-31 17:13 gabrieljenik Issue cloned: 20038