#1499 Feature request: enhance security by adding support for 2-factor-authentication via Google Authenticator

[RobertHarm]

My hoster recently added support for securing the hosting admin panel with 2-Factor-Authentification, using Google Authenticator. The only "weak" link left is the phpmyadmin access which does not support that.

It would be great if users would have the option within PMA settings to enable 2-Factor-Authentication to further secure their databases and prevent brute-force-attacks if the login site is publicly available.

More infos on Google Authenticator can be found here: http://code.google.com/p/google-authenticator/

[Maxime DAVID]

Hi,

Maybe this project could be a GSoC idea ? I would be glad to submit a proposal about this feature but I would like to make sure that it could be accepted as a GSoC project

[Isaac Bennetch]

It wouldn't be able to stand alone as a GSoC idea due to the expected timeline; a proposal is supposed to take approximately the full summer (which generally has meant approximately 12 forty hour weeks). So if this project could be incorporated with other work to make a proposal that takes approximately "all summer", then it certainly could be used as such, but by itself is not likely to be chosen because of the timeline expectation.

[Maxime DAVID]

OK ! Thanks, I'm going to add some other features to my proposal

[supawiz6991]

I would love to see this for user logins! How would this work for programs or websites that try to read/write to a database? How would they get the random security key?

[Isaac Bennetch]

Hi supawiz6991, since other programs and websites access the database directly rather than going through phpMyAdmin, when/if we implement this in phpMyAdmin it won't have any effect on those other programs. If implemented, this would strictly be for user authentication to phpMyAdmin.

[supawiz6991]

Awesome! I hope that IF turns into a WILL !

[Mike Robinson]

I actually just implemented Google Auth, Authy and a custom made OTP grid in a program I wrote and I might be willing to implement Google Auth for phpMyAdmin. However I don't quite know the logistics of how it would work since I am unfamiliar with phpMyAdmin (I just use it, but never contributed to it before).

I'm assuming we want a different secret key for each user, right? We could also provide the option to have a single "master" secret key for all accounts if required as well (e.g. if system administrators are the only ones who will be accessing PMA and they have access to multiple accounts). For multi-user environments, I see that PMA has a configuration storage and it looks like I could probably just use the pma__userconfig table to store the secret keys and a couple of other settings. However I am unaware how this table is populated. Is an entry added every time a new user logs in or is it somehow pre-populated? Does the username match the username used to log in? What happens if the system user is altered, added or deleted?

I propose adding the following configuration variables:

/* Integer 
    Values:
    0 - Google authentication is disabled for all users
    1 - Google authentication is enabled for all users
    2 - Google authentication is ONLY required for the users in the user list
    3 - Google authentication is required for all users except the users in the user list
 */
$cfg['Servers'][$i]['GoogleAuthenticationEnabled'];

/* String - Comma separated list of users. See previous option. */
$cfg['Servers'][$i]['GoogleAuthenticationUserList'];

Then, this behavior:

• If Google Authentication is disabled either globally or for a user, allow them to log in just like right now
• If Google Authentication is enabled for a user but it hasn't been configured yet, after a successful login, present a screen to configure it. They will be presented with a QR code and a manual secret key to enter into their device. When the user enters the first OTP value correctly, the corresponding secret key is saved in the database with for that user and they are allowed to continue.
• If Google Authentication is enabled for a user and it has been configured, after a successful login, present a screen to provide their next OTP value and allow them to continue if it is correct.
• We will need to add a session variable, something like OTPValidated so that the user doesn't have access to anything until that is set to true because logging in is now going to be two separate steps.

I do have a few doubts though:

• What should the behavior be if a user loses their device and are unable to log in?
• Should we allow the root user to remove Google Authentication from a user so that they can reconfigure it when they next log in?
• If GoogleAuthenticationEnabled is set to 2 or 3, should we allow the user to either opt in or opt out of using Google Authentication for their account after they have logged in? If so, is there an option within PMA to write to config.inc.php if it is writable by the HTTP user or does it always have to be written manually?

Comments? Questions?

[Marc Delisle]

Hey Mike,
your proposition looks complete and correct, except having a user list in config.inc.php (see below).

A few answers:
- pma__userconfig is populated after a user directly changes a setting that is stored in this table
- it's not normally pre-populated but it could be pre-populated
- its username matches the username used to log in
- when a user is deleted from MySQL via phpMyAdmin, it's not removed from pma__userconfig (maybe a bug)
- if a user loses the device, she should ask the server admin to reset her account definition (new shared key or add her account in the list of exceptions)

About opting in or out, we cannot rely on config.inc.php being writable; it would be better to add a table to the phpMyAdmin configuration storage, to contain a user list and their Google Auth status.