Jump to content

Two Factor Authentication to Portal


Recommended Posts

  • 2 weeks later...
  • 2 weeks later...
  • 3 weeks later...
  • 2 weeks later...
  • 3 weeks later...

Two factor authentication is critical !  I cannot see recommending Domotz to any client until this level of security is provided.  

 

With all the horrors of poor security in Internet facing IoT devices (re: the KREBS on security 600GBPS DDOS attack from iot devices), exposing client network to remote access with nothing but a regular password level security is not an option.

 

In the meantime, is there a workaround to DISABLE all remote connections by setting a startup parameter or configuration parameter in the agent that cannot be bypassed?  (I mean disabling all remote access from outside the LAN via the proxy/reverse-proxy magic of the Domotz Agent "connect" options.)

 

For 2FA actual implementation, absolutely prefer Google authentication compatible (time based one-time key) and not just an SMS or push mechanism.

Link to post
Share on other sites

I concur with SpivR.  2FA needs to be a high priority for Domotz.  Google Auth would be preferable to SMS, but an open standard like FIDO would be even better.  SpivR's comments also made me realize that we don't know anything about Domotz's security model and practices.  I strongly suggest that Domotz share their security approach with the community so we can be sure that we are not putting our customers at risk and ensure our customers that their home networks are safe with Domotz.

 

-Chris

 

Edited by cjohlandt
minor edit
Link to post
Share on other sites
2 hours ago, cjohlandt said:

I concur with SpivR.  2FA needs to be a high priority for Domotz.  Google Auth would be preferable to SMS, but an open standard like FIDO would be even better.  SpivR's comments also made me realize that we don't know anything about Domotz's security model and practices.  I strongly suggest that Domotz share their security approach with the community so we can be sure that we are not putting our customers at risk and ensure our customers that their home networks are safe with Domotz.

 

-Chris

 

My understanding is that "Google Auth" is, or is based on, an industry standard.  I use several apps on both iPhone and Apple Watch that are compatible and work with multiple services that support "Google Auth" without any special adjustments.  i use Microsoft and other services that support this mechanism for 2FA. So my recommendation on supporting "Google Auth" for 2FA would mean lots of choices for the actual 2FA UI used by the end user/dealer for login.

Link to post
Share on other sites
  • 3 weeks later...
  • 2 months later...
On 12/29/2016 at 9:20 PM, rgericke said:

I agree that this is a must and I also agree that we should be able to enforce it for all users.

Integration with a two factor provider like DUO would be gold!

Link to post
Share on other sites

I know guys. It is something we want to do since long time. But our dev team is really under pressure with a long queue of enhancements. I will  do my best to raise the priority. Thanks for your patience and understanding

Link to post
Share on other sites

Thank you Silvio for your feedback.  I do want to step back and say it is rare these days to find a vendor/manufacturer that is willing to be open about features and priorities.  (With most others, requests just go into a black hole.)

 

That said, I do want to emphasize that two-factor authentication is one of the few features that is not simply a convenience or enhancement.  It goes to the core of security which is of huge concern to the public and the media nowadays - especially for home automation and IoT.

 

 Also, since this involves your cloud server back-end, there is not a workaround or hack that can be cobbled together unilaterally by users/geeks, it can only be implemented by Domotz, unlike many of the other requests for new features.

 

 

Link to post
Share on other sites

Thanks. In this forum you can see a number of features that were requested by, and then implemented. 

Over the next few weeks and months the team is deeply involved in some new features strongly requested by our customers:

- activity logging 

- snmp oid monitoring

- snmp oid-based alerts

- simplify configuration of multi-vlan monitoring 

- many integrations (new PDUs, PoE switches, Cresnet, Lutron...)

But definitely, two factor authentication will come just after.

 

 

  • Upvote 1
Link to post
Share on other sites
  • 6 months later...

Hi

 

Just wondering if there has been anymore development on Two Factor Authentication being introduced ? I have just recently stumbled across this wonderful network monitoring running on my QNAP. I am still in my trial period and want to join but I am rather worried about total access to my network with just my username and password. Being able to use RDP and HTTP to access my devices portals Is great but Two Factor Auth is really desperately required to be more secure.

 

Thanks

 

Daniel

Link to post
Share on other sites

Unfortunately we haven'had resources for implementing it.

Implementing a full 2FA is quite time consuming from dev point of view. We have investigated integration with third party solutions easy to integrate but they are very expensive, and not sure if our customers would be happy to pay few dollars per month per account only for this feature.

 

Feedback welcome. 

 

In any case this is still in our todo list

 

Link to post
Share on other sites

I think you have been looking at two factor in the wrong way.. The only way it should be costing a few dollars per month is if you were looking at leveraging some SSO identity provider like Duo. Implementing Google Authenticator via web is relatively easy and low cost  - one example is here https://www.twilio.com/blog/2013/04/add-two-factor-authentication-to-your-website-with-google-authenticator-and-twilio-sms.html

 

However, and this is my opinion, it likely makes more sense these days to just move authentication to oauth and allow 3rd parties like Google to be the primary identity provider. This gets you two factor and reduces your liability in a hack as you wouldnt have any password information.. 

Link to post
Share on other sites

two factor is a must!

I think you should re-prioritize it, I understand fing is a main focus, but I would vote 2FA is on top of my feature list for Domotz.

or if you can't make it happen give us the ability to disable remote access, make it so you can only re-enable remote access from the agents local interface.

and email on failed login attempts

 

security should trump features

Link to post
Share on other sites

Hi,

 

Silvio says:

> Unfortunately we haven't had resources for implementing it. Implementing a full 2FA is quite time consuming 
> from dev point of view. We have investigated integration with third party solutions
> easy to integrate but they are very expensive, 

 

That's fair. So here's a suggestion. I am aware of a project in which we implemented support for YubiCo (www.yubico.com), as we were able to reuse one of the numerous libraries they make available. Perhaps something like this, where interested users would pay by buying the tokens, and you would integrate the library supported by a third-party.

 

Yubicloud (https://www.yubico.com/products/services-software/yubicloud/) offer free integration for a web API and it's quite straightforward. 

 

I realise nothing is ever as easy and straightforward as it seems, but perhaps a model where you offload the expense to the user on a per-use basis like this could be explored instead of reworking the server and requiring a more recurring workload.

 

Note: I am completely unaffiliated from Yubico, just a (satisfied!) previous user.

Link to post
Share on other sites

This simply must be prioritized.  It is absolutely impossible to recommend anyone use Domotz as a professional service when there is such a gaping security hole.  Putting a Domotz agent on a client network means the entire network can be penetrated with a brute force password hack.

It is only a matter of time before this explodes into a real problem when black hats realize this hole is out there.

I hope the FingBox / Consumer product line is not draining attention from the main Domotz Product, that would be a shame.

 

On a more positive note, when I was a product manager at a large market leading network equipment company and the engineers told me something that was really needed was hard to implement, I had two replies:

 

1 - if it was easy, we wouldn't have hired you and paid you that nice salary

 

2 - the harder to better.  Once we have it, we can brag and market the heck out of it knowing it will take competitors a long time to catch up.

Edited by SpivR
Link to post
Share on other sites

Thanks for all the feedback. Definitely the matter is important. I will do my best to provide a realistic/firm date just after CEDIA. 

 

Want to reassure SpivR tha Fingbox is not draining attention away. It is a distinct team, even though we are leveraging each-other expertise and code. The Domotz team is 100% on Domotz as usual.

 

Link to post
Share on other sites
  • 1 month later...

++1 on the 2FA. We will sometimes be using Domotz to manage our own equipment on a larger network that's managed by an MSP and they are much more likely to block Domotz without what is now standard security features like 2FA.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...