I plan to use hardware tokens for login. The idea is this: As long as you have the hardware token within personal reach, you can be sure that no other person has access to the gitea instance via your account.
Unfortunately, I am forced to setup a google authenticator 2nd factor as well. So you don’t need the hardware token for login, gaining access to the google authenticator is sufficient.
Is it possible to use hardware tokens without this?
There are certain API calls that support using OTP 2FA , but don’t support hardware tokens, and so the code requires that Google Auth (or whichever OTP app you use) is activated before also activating a hardware device. The OTP 2FA activation also provides a scratch code should you lose access to the app.
You can delete the token from your app if you only ever want to use the hardware token
@techknowlogick : Thx for answering to my issue. My focus is on the provider side:
- I’m providing a gitea instance
- It is based on LDAP users
- I’d like require the users to use a hardware token
- I want do be sure: Once a user has no hardware token, he/she will not be able to access the instance any more
- Ask the users to login using their LDAP credentials
- Ask them to activate a 2nd factor
- Handle the 2nd factor via a temporary solution (I don’t want them to install a special app on their mobiles)
- Activate the hardware token
- Verify: LDAP credentials plus hardware token are OK for accessing Gitea
- Report this to the gitea admin
Now the gitea admin looks into the users overview and verifies the hook on “2FA”. If it is there, the user as at least partly completed the procedure.
Now I’m modifying the database tables:
- create a copy of two_factor → two_factor_backup
- copy the user’s record to two_factor_backup (just in case I need it later)
- destroy the values of secret, scratch_salt, scratch_hash for the user within two_factor
At this point, the user cannot login via the TOTP token any more. The hardware token still works.
The emergency password doesn’t work too (hopefully, not checked so far).
These issues still exist:
- Access with SSH keys - maybe allow only SK keys? There is a patch for SK keys and it works but it accepts “all” SSH keys, easy to change
- Access with an application token - completely open
- The user might delete his/her account and start over since without an existing account, a new one will probably created based on the LDAP credentials - I could remove the part “delete account” from gitea