Mailcow-dockerized: Add fallback 2FA option

My Yubikey 5 doesn't work properly over NFC with my smartphone. So i'm basically unable to login with my smartphone. So 👍 , great idea.

as "last resort" backup i would like to have a phone call option.
(Since sip-accounts with free/low rate fees are laying around at most admins i assume)
there are APIs available, but i can't state much about the quality.
https://datatechlabs.com/posts/56/two-factor-authentication-api-with-phone-call

@adorfer, as a last resort you can always log in via SSH and turn off 2FA in the database. Phone calls are way beyond the scope of Mailcow and too difficult to implement for a simple web application like ours.

I think simply generating backup 6 backup codes that are then saved into the database would be more then enough :)

Na, don't want to burn a backup code every time i'm on mobile...
I meant it mor as an alternative two factor method for authentication, not backup as in backup :smiley:

"not backup as in backup"
then perhaps change the title, since "backup" is presumingly a fallback method with clear limitations, only to be used if the primary system fails due to fault condition alongside the path. Not just an alternating option.

I think this is very useful. If i use my PC and don't want to need my mobilephone. If i use my mobilephone i don't want to need my yubikey :D.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@JustAB0x Did you manage to use FIDO(2) over NFC by now?

Sadly not.

Braintelligence notifications@github.com schrieb am Sa., 27. Juli 2019,
14:19:

@JustAB0x https://github.com/JustAB0x Did you manage to use FIDO(2)
over NFC by now?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/mailcow/mailcow-dockerized/issues/2611?email_source=notifications&email_token=AEXD7WXMYW6TBHECT3VVJS3QBQ4N3A5CNFSM4HNNS422YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD26KNTA#issuecomment-515679948,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AEXD7WX6V6MMBA6PHFACW3LQBQ4N3ANCNFSM4HNNS42Q
.

any news on this one?
I just enabled U2F and thought about what might happen if I lose my Keychain on a travel.

I would also like to add the Request, zu generate OTP Backup-Codes if one enables OTP. If you loose the OTP-Key-Token you will not be able to sign in again.

Sure you can. https://github.com/mailcow/mailcow-dockerized/issues/2611#issuecomment-494478985

Logging in via SSH won't work if you're away from your computer, and trying to log in over a mobile phone when your YubiKey U2F is also your SSH key.

I'd like to see the ability to have two different 2FA options, e.g. YubiKey U2F and TOTP.

I'm using my yubikey for 2fa with my mobile phone every day.

I don't have NFC on my YubiKey, and my iPhone doesn't have a USB-C port to plug it into. So a second 2FA option like TOTP in addition to a yubikey will be invaluable to most people who want to use 2FA.

You can't be serious about the "most" part there.

I don't want to get into an argument. Was just trying to leave a constructive comment/request for allowing multiple types of 2FA simultaneously.
I'm sure there are many mailcow admins who want 2FA, use a Yubikey for it, but don't have a compatible key or phone which would mean that they are unable to log in remotely using their phone if the Yubikey was their 2FA mechanism.
I've only just started using mailcow, but I like it, and will be contributing to the SAL shortly.

Doesn't understand why you use yubikey with phone that not aligned to your needs. If you ask add fallback from secure key to simple totp so maybe you not need that security key at all and simply use totp or have a key that will work on all yours devices? All benefits from your security key are anigilated if this will be applied. @tellytart Yubikey as rsa key: you can have many authorization rsa keys on your unix user at same time.

I think you missed the point slightly. I use a YubiKey for my SSH key and U2F. This works fine when I have my laptop with me.

If I am away from the house, and without my laptop, I cannot use my YubiKey with my mobile phone, so if a problem happens, I cannot log in to fix it until I get home, or to another computer.

Most other services I use 2FA with (including GitHub) allow the use of multiple 2FA methods. (Some web browsers still aren't compatible with U2F, so have to fall back to TOTP).

It will also downgrade the security given by a U2F device.

I agree it is more comfortable to use a Yubi (just touch it) vs. entering a token. That's probably why you ask for it? :)

It's more about flexibility. Yes, a YubiKey is nice as you can just touch it. However, a TOTP on a mobile phone is protected by a passcode or fingerprint or faceid (almost always, I don't see someone who wants to secure accounts with 2FA using a mobile phone without a passcode etc!), so is a reasonably secure fallback where a YubiKey can't be used.

With a YubiKey or TOTP, if someone malicious has your password and gets hold of the device then it's game over. Arguably a TOTP on the phone is more secure as you still need to unlock the phone, rather than just plugging in the key, but is less convenient.

But you can always use TOTP without your mobile then, as you added it as a fallback. The extra security added by your mobile does not help.

How would we know you cannot use your Yubi right now and unlock TOTP then?

I don't understand what you're meaning.

I'd like YubiKey U2F as my 2FA mechanism, but I'd also like Google Auth on my mobile as a 2FA mechanism, and the ability on the login screen to select which one I want to use (same as GitHub).

If for some reason I don't have my YubiKey on me (or it's broken, or I don't have access to a laptop) I can still use the google auth on my mobile to generate a TOTP code to log in.

I use my YubiKey at home for convenience (it's quicker than unlocking the phone and launching an app, then entering a code).

I'll use the workaround for now of a second admin account with the other 2FA mechanism enabled.

You say "a mobile phone is protected by a passcode or fingerprint or faceid".

What if I use a public computer and select TOTP as TFA? Your extra security via mobile (faceid etc.) don't help you at all, if you let a user decide which TFA to use.

I think that can be implemented anyway, but I don't know when I or whoever will work on it. :/

Thanks. I understand it'll be in the backlog, but will be considered.

Having two different "things I have" for 2FA isn't really a risk, as an attacker would still have to gain physical access to either my YubiKey or my phone for the TOTP generator. And if a keylogger was installed on the public computer I used the TOTP code on, an attacker would still need to use that code within 30 seconds or the TOTP code becomes invalid.