Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two-Factor authentication (TOTP) #3712

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Two-Factor authentication (TOTP) #3712

wants to merge 1 commit into from

Conversation

nabokihms
Copy link
Member

Overview

This pull request implements two-factor authentication (2FA) in Dex. The 2FA data is securely stored within the OfflineSessions object, enhancing security for connectors that lack built-in 2FA support, such as LDAP and local connectors. Upon first login, users will save their 2FA settings using a QR code, after which they will use the saved 2FA for subsequent logins. Below is an example configuration for enabling 2FA:

# Configuration for the two-factor authentication
twoFactorAuthn:
  issuer: "dex"
  connectors:
    - mock

What this PR does / why we need it

Enhancing Dex with 2FA adds an additional layer of security, making unauthorized access significantly more difficult. This is particularly valuable for connectors like LDAP and local connectors that do not inherently support 2FA. By implementing 2FA, we align Dex with industry best practices for identity management, meet higher security compliance requirements, and ensure better protection for user data, thereby building greater trust with our users.

Special notes for your reviewer

image

image

@nabokihms
Two-Factor authentication
0297888 
Enhancing Dex with 2FA adds an additional layer of security, making unauthorized access significantly more difficult. This is particularly valuable for connectors like LDAP and local connectors that do not inherently support 2FA. By implementing 2FA, we align Dex with industry best practices for identity management, meet higher security compliance requirements, and ensure better protection for user data, thereby building greater trust with our users.

The 2FA data is securely stored within the `OfflineSessions` object and extends support to all configured connectors.

Signed-off-by: m.nabokikh <[email protected]>
@nabokihms nabokihms added the release-note/new-feature Release note: Exciting New Features label Aug 26, 2024
@nabokihms
Copy link
Member Author

closes #352

@nabokihms
Copy link
Member Author

closes #1547

@nabokihms
Copy link
Member Author

closes #1270

@sambonbonne
Copy link

sambonbonne commented Dec 3, 2024
edited
Loading

I'm not a maintainer nor a reviewer so I'm not sure this is the best place to ask this, but would it be possible to display the "textual" code below the QR code?

This is useful when you can't scan the QR code, for example when your TOTP application is directly on your computer.

(Edit: typo)

@lanord
Copy link

lanord commented Dec 11, 2024

Do we know if we are going to see this merge in the near future ? This would be a great feature to see deployed. As more and more security requirement ask for 2FA on auth provider.

@nabokihms
Copy link
Member Author

@sambonbonne good addition, thanks!
@lanord I am willing to merge it this year after figuring out some API nuances.

@Kludex
Copy link

Kludex commented Jan 28, 2025

@nabokihms Is there a way to fund the work in this PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sagikazarmark sagikazarmark Awaiting requested review from sagikazarmark

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
release-note/new-feature Release note: Exciting New Features
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@nabokihms @sambonbonne @lanord @Kludex