Yubikey support

I would to see yubikey supported as one of the ways to 2-factor auth.

See https://developers.yubico.com/

Status: 
Needs review

Comments

Are you referring specifically to YubiKey's cloud authentication service YubiCloud?

We could support that, but it would take some development work (similar to what was done for authy).

Doesn't Yubikey also support TOTP, which is already implemented in Webmin (and doesn't require dependency on an external service) ?

Yes Yubikey does use OTP if you can make that work that would be really cool.

Webmin already has support for the TOPT protocol for two-factor authentication, so if Yubikey supports that they it should work with no further changes on our side.

Each yubikey has to register first then you can use it for webmin logins. So you need to add code that will access yubicon's api to do this.

I'll look into this some more - on the Yubikey site it says TOTP is supported, but with some additional software.

Any news on this ?? I would love to get away from google auth soon.

@ JamieCameron Yubico made libs available. u2f protocol is more and more accepted (due use of facebook and google and many more) For me it would be also a great advantage to secure my web/virtualmins with yubikeys.

The T of Totp is indeed created by additional software. the yubikey has no battery or clock, so it can't create totp itself. Other mechanism yubikey does is challange/response, certificates, u2f, pgp, programmable passwordresponse (quite a nice little versitile device)

For your convience I added some links to dev pages: https://developers.yubico.com/OTP/ https://developers.yubico.com/yubico-perl-client/

If you are willing to give a bit guidance in howto implement these perl modules within webmin so we can pass authentication, I'm willing to help testing/poc drive.

Regards,

Thanks, I'll take a look at those APIs.

Replying to this old thread, instead of opening a new one, even though it's not Ubikey that I'm looking for, but general-purpose 2FA:

Would be really nice to have an open-source self-hosted solution, needing Google or an Authy key is a pain. And brute-force attacks are on the sharp rise.

An 2FA implementation based on U2F would be much better for Virtualmin, Webmin and Usermin, so that open-source 2FA clients can be used. See this page of gitlabs open-source self-hosted solution for all the choices available: https://docs.gitlab.com/ee/user/profile/account/two_factor_authenticatio...

Ilia's picture
Submitted by Ilia on Fri, 11/20/2020 - 06:36

Would be really nice to have an open-source self-hosted solution, needing Google or an Authy key is a pain.

How about just using oathtool tool to generate OTP?

oathtool --base32 --totp X23DDQZHGIA63W44

Not good enough?

Thank you for the pointer, but that's in command lines, and not using Virtualmin. Not available to "normal" users without ssh access or deep shell knowledge (and managing the system outside of Virtualmin which may call for future troubles), so imho not "good enough" (keep cool, just trying to help you guys by giving suggestions to help improve Virtualmin/Webmin).

When activating Two-Factor Authentication in Webmin / Webmin settings / Two-Factor Authentication setting, there are only 2 choices: Google and Authy. Would be nice to have a non-proprietary non-third-party dependant self-hosted open-source third choice (or that one replacing the two not needed anymore ones).

Maybe to clarify, I was talking about the server-side that can be self-hosted "inside Virtualmin" server-side and not depending on third-party services.

Ilia's picture
Submitted by Ilia on Fri, 11/20/2020 - 06:53

Not available to "normal" users without ssh access or deep shell knowledge (and managing the system outside of Virtualmin which may call for future troubles),

When using Ubikey, are there desktop and/or mobile clients (installable from Play Store or Apple Store) for generating OTP?

Would be really nice to have an open-source self-hosted solution, needing Google or an Authy key is a pain.

It would be use full, if you could describe what kind of pain is that exactly?

(keep cool, just trying to help you guys by giving suggestions to help improve Virtualmin/Webmin).

Thank you, we will consider it, if it's worth it, and more or the less easy to add.

I am in process of securing all accounts with YubiKey 5 Fido2 WebAuth where all possible (else FIDO U2F if FIDO2 is not available on certain older platforms).

Not sure what happened to this FIDO2 WebAuth suggestion then. Was FIDO2 WebAuth implemented to Virtualmin/Webmin ?

Ilia's picture
Submitted by Ilia on Wed, 04/28/2021 - 04:00

Was FIDO2 WebAuth implemented to Virtualmin/Webmin ?

No, it hasn't been yet implemented. Sorry.

Thanks for your response.

Any plans to include it?

Not sure if virtualmin team realize that this is becoming a common scenario and user case now due to a lot of accounts being used with 2 factor authenticator apps like Google/Microsoft etc... makes it extremely difficult and very inefficient to keep looking for the code in phone and if code is about to be renewed then wait for couple of seconds for it to renew new code. Most people are driven by this looking for more efficient solution and answer is FIDO2 WebAuth that makes the login passwordless or at least codeless and is still lot more secure due to physical key on hand. Google and Microsoft rolled out the physical keys in almost over hundred thousand employees to reduce the account hacks to literally zero. Google so impressed by the security and efficiency that they came up with their own security key (well they can).

I think you requested explanation of the kind of pain of the user case using Google/MS Authenticator apps. Let me help you if you haven't figured it out. I have about 40 - 50 different accounts using either Google or MS authenticator code key. And almost all these accounts have some inactivity expiry also attached. Every time I need to login I need to reach for the authenticator code and many times it happens that mobile is on wireless charger away from me when especially I am using tablet and on lounge (work from home you see). Regardless, everytime I need to login, I need to look for exactly specific account out of 40 / 50 accounts and by then code reaches expiry then waiting further couple of seconds. And imagine doing this for about 40 / 50 times out of which I have 2 live webmin users and 2 test webmin users. Then I came across the fact that the authenticator apps are also not completely secure and from security and efficiency point of view Security Keys are the best. While most of the accounts are supporting Security Keys virtualmin login is very important part of my workflow. And most of the times I always logout from all accounts when I am not using it (this not only is good for PC performance but also secure and good from decluttering aspects). Now to help you understand how critical can be such Security Key avoid all the pain I described (underplayed) above. Now I have YubiKey 5 NFC and YubiKey 5 Nano, one in tablet semiparmanently and one in my neck attached to lanyard, which is for PC. No charging required. I login to my Password Manager with manualy (single password to type) login and just put finger on Security key to login to it. From here onwards password manager logs in to almost all websites from password entry point of view. But for 2FA, second factor played by the Security key, just touch of the key and it logs in. (no messy code waiting etc..) Accounts may log off frequently based on when they want, but not an issue with Security Key. Life is much better this way. This avoided many of the times when I couldn't login due to dependency on the Authenticator Key for whatever reasons. Either phone is not near, not charged, switched off, with son or simply time mismatch and key not working anymore (which happens frequently on some crappy platforms like QNAP, locking me out and the it is very painful when I really am busy with something very important).

You also asked about client installation for TOTP. YubiKey supports both TOTP and HOTP, which I haven't used yet but soon will be using them and as I understand YubiKey has it's own client running on PC which will generate a key and with single tap it will copy the code to enter into key text field. Personally I don't think this scenario is relevant for Virtualmin. As I know FIDO2 WebAuth setup is relatively easier to implement due to vendor independent protocol. And there is no TOTP/HOTP setup required so no Keys are required. Just password and touching Security Key and it logs right in. So in this case no client softwares should be required.

The world is bending towards it gradually now because that is where technology is heading to be more secure and efficient. Compared to such a great implementations going so deep on Virtualmin/Webmin, this feature addition is really not that complicated at all as I have understood.

Appreciate if Virtualmin/Webmin team considers installing FIDO2 WebAuth for user login.

Thank you jiteshsg for your extensive explaination. but let me correct you on one part: google does not make the keys themselves. they let it done by the "inventor" of the keys. but it does run firmware of google. and those google keys are only for external customers. internally they use the originals (as far as I understood).

Thanks for the correction.

It doesn't change anything on the user case explanation I mentioned and the importance of Security Key support.

I still think technologically this is the entry point and not having this option available doesn't help the virtualmin/webmin community. On the contrary having this option encourages users to be more secure and efficient. And as I said earlier, FIDO2 WebAuth implementation is not seen that difficult as discussed on many forums.

Rest I am sure virtualmin/webmin team would know what is right thing to do.

Ilia's picture
Submitted by Ilia on Thu, 04/29/2021 - 16:10

Every time I need to login I need to reach for the authenticator code and many times it happens that mobile is on wireless charger away from me when especially I am using tablet and on lounge

I am confused about this, as there are numerous of apps/console-commands to display OTP based on Google Authenticator ID. You could use a Linux command to generate OTP (there are probably GUI solutions as well) or create a small script that will return OTP based on passed domain name.

Appreciate if Virtualmin/Webmin team considers installing FIDO2 WebAuth for user login.

We will discuss it internally. I will mark this as a future feature request.

SedonDss's picture
Submitted by SedonDss on Tue, 05/04/2021 - 10:18

I join the YubiKey (possibility) development incentives camp. We would love to see YubiKey in this great WCP.

I understand when the colleague complains that Google Auth. is not transparent. In my case I have nearly 70 accounts running on it. Authy is cumbersome...(I forgot long ago).

We would like to see this theme possibly continued and implemented, THX.