FIDO U2F Authentication
Permalink
Hi there
I'm currently developing a FIDO U2F (Universal 2nd Factor) Authentication module.
My goal is to override the core concrete authentication module, so if somebody installs the module, a login trough the concrete authentication should be disabled (otherwise an attacker could still try to login trough the concrete authentication module).
I tried to do that with a package (in the /packages dir) and put that authentication part in the application folder (/package/my_pkg/application/authentication/concrete), but unfortunately this doesn't work (concrete core authentication isn't overriden). If I put my FIDO U2F implementation in the application/authentication/concrete folder (in the Concrete5 document root) it works.
Does anybody have an idea, why this doesn't work or has another tip? Any help would be appreciated!
Kind regards
Lars
PS: If somebody want to test that authentication module, feel free to contact me.
I'm currently developing a FIDO U2F (Universal 2nd Factor) Authentication module.
My goal is to override the core concrete authentication module, so if somebody installs the module, a login trough the concrete authentication should be disabled (otherwise an attacker could still try to login trough the concrete authentication module).
I tried to do that with a package (in the /packages dir) and put that authentication part in the application folder (/package/my_pkg/application/authentication/concrete), but unfortunately this doesn't work (concrete core authentication isn't overriden). If I put my FIDO U2F implementation in the application/authentication/concrete folder (in the Concrete5 document root) it works.
Does anybody have an idea, why this doesn't work or has another tip? Any help would be appreciated!
Kind regards
Lars
PS: If somebody want to test that authentication module, feel free to contact me.
Finally I've found a solution. First I extend the concrete5 authentication type controller:
class Controller extends \Concrete\Authentication\Concrete\Controller
Next we disable the default authentication type (so nobody can login with the default auth. type):
public function install() {
$pkg = parent::install();
SinglePage::add('/account/u2f', $pkg);
AuthenticationType::add('u2f', 'U2F', 1, $pkg);
$authenticationType = AuthenticationType::getByHandle('concrete');
$authenticationType->delete();
....
}
class Controller extends \Concrete\Authentication\Concrete\Controller
Next we disable the default authentication type (so nobody can login with the default auth. type):
public function install() {
$pkg = parent::install();
SinglePage::add('/account/u2f', $pkg);
AuthenticationType::add('u2f', 'U2F', 1, $pkg);
$authenticationType = AuthenticationType::getByHandle('concrete');
$authenticationType->delete();
....
}
Hi muas,
I've been following this thread since you first posted.
Are you looking to put together something for the marketplace or on GitHub?
Will you be using the Yubico Web service API for authentication?
I've been following this thread since you first posted.
Are you looking to put together something for the marketplace or on GitHub?
Will you be using the Yubico Web service API for authentication?
Hi
Yes, I put the code on github:https://github.com/L4rS6/concrete5_u2f...
No, because there is currently no U2F api (just OTP) from Yubico. At the moment you have to install the Yubico u2fval-Server by yourself.
Yes, I put the code on github:https://github.com/L4rS6/concrete5_u2f...
No, because there is currently no U2F api (just OTP) from Yubico. At the moment you have to install the Yubico u2fval-Server by yourself.
Thank you, this looks very interesting.
What was your motivation to create the package? Was it for a client, personal use, or a demo?
What was your motivation to create the package? Was it for a client, personal use, or a demo?
Thank you. No, it was a part of a bachelor thesis.
[1]
Core::bind('\Concrete\Authentication\Concrete\Controller', function() {
return new \Concrete\Package\U2f\Authentication\U2f\Controller();
});
Any help would be appreciated.