Bookstack: [Feature Request] 2FA Implementation

This feature would be great

Would love to have this feature, duo has a free plan, I've used duo and its great. The only thing that could be a downside to users would be if this too is behind a paywall like the Oauth feature, security should not be placed behind a paywall.

The only thing that could be a downside to users would be if this too is behind a paywall like the Oauth feature, security should not be placed behind a paywall.

@Shagon94 Sorry, I may be getting confused since I'm not familiar with Duo, but is the mention of a paywall in reference to Duo or in reference to BookStack?

I'd prefer to stay away from anything vendor specific for this tbh, and go for something fairly open and common such as TOTP.

Apologies, I just found the documentation page for Oauth - https://www.bookstackapp.com/docs/admin/third-party-auth/

that being said MFA / 2FA would be great as well, TOTP would also be a great addition.

Regarding duo - duo is a 2FA provider, they have an app as well, it works like any other 2FA compatible app, the reason why I mentioned them was because they have a free plan so people might prefer having a push that they can just accept over entering the key from the OTP.

Even if we exclude duo from this 2FA is a great addition to the security, any implementation would be great.

Just putting this here as a reminder to myself to potentially dig into a webauthn implementation:
https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-the-webauthn-api/

_Copy of my message from the closed (In favor of this issue) original issue:_

Just to flesh this out a little further, What kind of controls would you want for 2FA? For example, would you want to force 2FA on all users? Let users decide? User-level control by admins? Something else?

Not looking for extra ideas, just want to know what you'd specifically want for your environment(s).

I'm assuming, for new users and for newly-admin-enabled-2fa users, we'd force a "Setup 2FA" step upon login?

We we need to implement a backup system? Or would an admin CLI command suffice to disable 2FA for system/specfiic-account suffice in scenarios where access is lost.

As an admin I'd like the option to force enabling 2FA for all users, enable just for Administrators or leave it up to user preference (enabled but not enforced)

I'm assuming, for new users and for newly-admin-enabled-2fa users, we'd force a "Setup 2FA" step upon login?

This would be the method as far as I can tell.

We we need to implement a backup system? Or would an admin CLI command suffice to disable 2FA for system/specfiic-account suffice in scenarios where access is lost.

A backup system would be needed in some form. I think your idea of a CLI command would suffice for small instances. Where that would add more of an overhead is in large deployments. Thats where the option of backup codes (ie 10 codes you download and keep safe when 2FA is configured) would come in handy with the CLI as the ultimate fallback.

What kind of controls would you want for 2FA? For example, would you want to force 2FA on all users? Let users decide? User-level control by admins? Something else?

Even just enabling/enforcing it based on Role can also be sufficient

I'm assuming, for new users and for newly-admin-enabled-2fa users, we'd force a "Setup 2FA" step upon login?

Sounds good!

We we need to implement a backup system? Or would an admin CLI command suffice to disable 2FA for system/specfiic-account suffice in scenarios where access is lost.

The CLI command is a good idea

+1 for this feature.

Hi @triDcontrols, To help gather guidance for implementation could you read and answer my post above?

A keen user for 18 month's opinion...

What kind of controls would you want for 2FA? For example, would you want to force 2FA on all users? Let users decide? User-level control by admins? Something else?

Feel like forcing on admin is fair as they have much more control. Below that. let users decide. The way nextcloud forces it on for everyone or no-one has caused me issues with people being blocked out in the past.

I'm assuming, for new users and for newly-admin-enabled-2fa users, we'd force a "Setup 2FA" step upon login?

This would have to exist to stop existing users being blocked out as mentioned above.

We we need to implement a backup system? Or would an admin CLI command suffice to disable 2FA for system/specfiic-account suffice in scenarios where access is lost.

Admin CLI is absolutely fine as long as it's well documented. Other projects have fallen down in the past as I've found the secret CLI command buried in a closed issue.

Any news on this feature? It would make Bookstack more suitable for a lot of things and improve security. Also it will 100% pass Accountant Audits!

@kayvanaarssen No, No news. Please read and answer my post above to help us understand requirements for this.

Like @ark- is also commented;

Some points that come to mind;

• 2FA for Admins
• 2FA for Users Optional (Option to enforce)
• Security even if its internal or behind a VPN if there is sensitive data in it
• Security if its public facing than Admins must really have 2FA
• GDPR / Accountant compliance to make sure documentation and other stuff that's in it is safe.

Sorry for pushing this again. But any news on adding 2FA? This is one thing that's holding us back to use BookStack for our clients to login and look at their documentation. Since we want to have it secure.

@kayvanaarssen No news, I've hardly had time to devote to the project since your last prompt.

Realistically it's not going to be this year, maybe first half of next year but that's a big maybe.
Authentication work is incredibly arduous and time consuming, and often does not benefit the wider existing BookStack user base hence I've pretty much met my limit of working on auth work this year.

If a massively important requirement you could always use one of the other authentication options, such as SAML, along with an identity provider that does support 2FA/MFA.

I understand, but its really good for security ofcourse.

Hope it will make it to BookStack at some point 👍

@kayvanaarssen It might be worth looking into https://github.com/authelia/authelia while waiting for bookstack to implement their own.