Skip to content

Two Factors authentication for Devise using Time Based OTP/rfc6238 tokens.

License

Notifications You must be signed in to change notification settings

wmlele/devise-otp

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Devise::Otp

Build Status

Devise OTP implements two-factors authentication for Devise, using an rfc6238 compatible Time-Based One-Time Password Algorithm. It uses the rotp library for generation and verification of codes.

It currently has the following features:

  • Url based provisioning of token devices, compatible with Google Authenticator.
  • Two factors authentication can be optional at user discretion, recommended (it nags the user on every sign-in) or mandatory (users must enroll OTP after signing-in next time, before they can navigate the site). The settings is global, or per-user.
  • Optionally, users can obtain a list of HOTP recovery tokens to be used for emergency log-in in case the token device is lost or unavailable.

Compatible token devices are:

Quick overview of Two Factors Authentication, using OTPs.

  • A shared secret is generated on the server, and stored both on the token device (ie: the phone) and the server itself.
  • The secret is used to generate short numerical tokens that are either time or sequence based.
  • Tokens can be generated on a phone without internet connectivity.
  • The token provides an additional layer of security against password theft.
  • OTP's should always be used as a second factor of authentication(if your phone is lost, you account is still secured with a password)
  • Google Authenticator allows you to store multiple OTP secrets and provision those using a QR Code

Although there's an adjustable drift window, it is important that both the server and the token device (phone) have their clocks set (eg: using NTP).

Installation

Add this line to your application's Gemfile:

gem 'devise'
gem 'devise-otp'

And then execute:

$ bundle

Or install it yourself as:

$ gem install devise-otp

Devise Installation

To setup Devise, you need to do the following (but refer to https://github.com/plataformatec/devise for more information)

Install Devise:

rails g devise:install

Setup the User or Admin model

rails g devise MODEL

Configure your app for authorisation, edit your Controller and add this before_filter:

before_filter :authenticate_user!

Make sure your "root" route is configured in config/routes.rb

Automatic Installation

Run the following generator to add the necessary configuration options to Devise's config file:

rails g devise_otp:install

After you've created your Devise user models (which is usually done with a "rails g devise MODEL"), set up your Devise OTP additions:

rails g devise_otp MODEL

Don't forget to migrate:

rake db:migrate

Custom Views

If you want to customise your views (which you likely will want to), you can use the generator:

rails g devise_otp:views

I18n

The install generator also installs an english copy of a Devise OTP i18n file. This can be modified (or used to create other language versions) and is located at: config/locales/devise.otp.en.yml

Usage

With this extension enabled, the following is expected behaviour:

  • Users may go to /MODEL/otp/token and enable their OTP state, they might be asked to provide their password again (and OTP token, if it's enabled)
  • Once enabled they're shown an alphanumeric code (for manual provisioning) and a QR code, for automatic provisioning of their authetication device (for instance, Google Authenticator)
  • If config.otp_mandatory or model_instance.otp_mandatory, users will be required to enable, and provision, next time they successfully sign-in.

Configuration Options

The install generator adds some options to the end of your Devise config file (config/initializers/devise.rb)

  • config.otp_mandatory - OTP is mandatory, users are going to be asked to enroll the next time they sign in, before they can successfully complete the session establishment.
  • config.otp_authentication_timeout - how long the user has to authenticate with their token. (defaults to 3.minutes)s
  • config.otp_drift_window - a window which provides allowance for drift between a user's token device clock (and therefore their OTP tokens) and the authentication server's clock. (default: 3)
  • config.otp_credentials_refresh - Users that have logged in longer than this time ago, or haven't refreshed, are boing to be asked their password (and an OTP token, if enabled) before they can see or change their otp informations. (defaults to 15.minutes)
  • config.recovery_tokens - Whether the users are given a list of one-time recovery tokens, for emergency access (default: true)
  • config.otp_uri_application - The name of this application, to be added to the provisioning url as '<user_email>/application_name' (defaults to the Rails application class)

Contributing

  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

Thanks

I started this extension by forking devise_google_authenticator, and this project still contains some chunk of code from it, esp. in the tests and generators. At some point, my design goals were significantly diverging, so I refactored most of its code. Still, I want to thank the original author for his relevant contribution.

License

MIT Licensed

About

Two Factors authentication for Devise using Time Based OTP/rfc6238 tokens.

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages