Jump to content
boojew

Two Factor Authentication to Portal

Recommended Posts

boojew

Would be great to see two factor enabled for the Domotz apps and web portal - especially since this gives remote access to my network...

  • Upvote 8

Share this post


Link to post
Share on other sites
Frederik

Totally agree - this is a must have - Google Authenticator support for starters :-)

  • Upvote 1

Share this post


Link to post
Share on other sites
vellanix
16 hours ago, Frederik said:

Totally agree - this is a must have - Google Authenticator support for starters :-)

quote

Share this post


Link to post
Share on other sites
DaveC

Yup- I would really be re-assured to see two factor support for the portal login given how much power you have once you are logged in.

Share this post


Link to post
Share on other sites
cjohlandt

Add me to the list of folks who would like to see two factor authorization for access to the portal.  Ideally, I'd like to be able to force all team members to use it.

 

-Chris

Share this post


Link to post
Share on other sites
SpivR

Two factor authentication is critical !  I cannot see recommending Domotz to any client until this level of security is provided.  

 

With all the horrors of poor security in Internet facing IoT devices (re: the KREBS on security 600GBPS DDOS attack from iot devices), exposing client network to remote access with nothing but a regular password level security is not an option.

 

In the meantime, is there a workaround to DISABLE all remote connections by setting a startup parameter or configuration parameter in the agent that cannot be bypassed?  (I mean disabling all remote access from outside the LAN via the proxy/reverse-proxy magic of the Domotz Agent "connect" options.)

 

For 2FA actual implementation, absolutely prefer Google authentication compatible (time based one-time key) and not just an SMS or push mechanism.

Share this post


Link to post
Share on other sites
cjohlandt

I concur with SpivR.  2FA needs to be a high priority for Domotz.  Google Auth would be preferable to SMS, but an open standard like FIDO would be even better.  SpivR's comments also made me realize that we don't know anything about Domotz's security model and practices.  I strongly suggest that Domotz share their security approach with the community so we can be sure that we are not putting our customers at risk and ensure our customers that their home networks are safe with Domotz.

 

-Chris

 

Edited by cjohlandt
minor edit

Share this post


Link to post
Share on other sites
SpivR
2 hours ago, cjohlandt said:

I concur with SpivR.  2FA needs to be a high priority for Domotz.  Google Auth would be preferable to SMS, but an open standard like FIDO would be even better.  SpivR's comments also made me realize that we don't know anything about Domotz's security model and practices.  I strongly suggest that Domotz share their security approach with the community so we can be sure that we are not putting our customers at risk and ensure our customers that their home networks are safe with Domotz.

 

-Chris

 

My understanding is that "Google Auth" is, or is based on, an industry standard.  I use several apps on both iPhone and Apple Watch that are compatible and work with multiple services that support "Google Auth" without any special adjustments.  i use Microsoft and other services that support this mechanism for 2FA. So my recommendation on supporting "Google Auth" for 2FA would mean lots of choices for the actual 2FA UI used by the end user/dealer for login.

Share this post


Link to post
Share on other sites
rgericke

I agree that this is a must and I also agree that we should be able to enforce it for all users.

Share this post


Link to post
Share on other sites
rgericke
On 12/29/2016 at 9:20 PM, rgericke said:

I agree that this is a must and I also agree that we should be able to enforce it for all users.

Integration with a two factor provider like DUO would be gold!

Share this post


Link to post
Share on other sites
Silvio

I know guys. It is something we want to do since long time. But our dev team is really under pressure with a long queue of enhancements. I will  do my best to raise the priority. Thanks for your patience and understanding

Share this post


Link to post
Share on other sites
SpivR

Thank you Silvio for your feedback.  I do want to step back and say it is rare these days to find a vendor/manufacturer that is willing to be open about features and priorities.  (With most others, requests just go into a black hole.)

 

That said, I do want to emphasize that two-factor authentication is one of the few features that is not simply a convenience or enhancement.  It goes to the core of security which is of huge concern to the public and the media nowadays - especially for home automation and IoT.

 

 Also, since this involves your cloud server back-end, there is not a workaround or hack that can be cobbled together unilaterally by users/geeks, it can only be implemented by Domotz, unlike many of the other requests for new features.

 

 

Share this post


Link to post
Share on other sites
Silvio

Thanks. In this forum you can see a number of features that were requested by, and then implemented. 

Over the next few weeks and months the team is deeply involved in some new features strongly requested by our customers:

- activity logging 

- snmp oid monitoring

- snmp oid-based alerts

- simplify configuration of multi-vlan monitoring 

- many integrations (new PDUs, PoE switches, Cresnet, Lutron...)

But definitely, two factor authentication will come just after.

 

 

  • Upvote 1

Share this post


Link to post
Share on other sites
Daniel

Hi

 

Just wondering if there has been anymore development on Two Factor Authentication being introduced ? I have just recently stumbled across this wonderful network monitoring running on my QNAP. I am still in my trial period and want to join but I am rather worried about total access to my network with just my username and password. Being able to use RDP and HTTP to access my devices portals Is great but Two Factor Auth is really desperately required to be more secure.

 

Thanks

 

Daniel

Share this post


Link to post
Share on other sites
Silvio

Unfortunately we haven'had resources for implementing it.

Implementing a full 2FA is quite time consuming from dev point of view. We have investigated integration with third party solutions easy to integrate but they are very expensive, and not sure if our customers would be happy to pay few dollars per month per account only for this feature.

 

Feedback welcome. 

 

In any case this is still in our todo list

 

Share this post


Link to post
Share on other sites
boojew

I think you have been looking at two factor in the wrong way.. The only way it should be costing a few dollars per month is if you were looking at leveraging some SSO identity provider like Duo. Implementing Google Authenticator via web is relatively easy and low cost  - one example is here https://www.twilio.com/blog/2013/04/add-two-factor-authentication-to-your-website-with-google-authenticator-and-twilio-sms.html

 

However, and this is my opinion, it likely makes more sense these days to just move authentication to oauth and allow 3rd parties like Google to be the primary identity provider. This gets you two factor and reduces your liability in a hack as you wouldnt have any password information.. 

Share this post


Link to post
Share on other sites
eti

two factor is a must!

I think you should re-prioritize it, I understand fing is a main focus, but I would vote 2FA is on top of my feature list for Domotz.

or if you can't make it happen give us the ability to disable remote access, make it so you can only re-enable remote access from the agents local interface.

and email on failed login attempts

 

security should trump features

Share this post


Link to post
Share on other sites
eembee

Hi,

 

Silvio says:

> Unfortunately we haven't had resources for implementing it. Implementing a full 2FA is quite time consuming 
> from dev point of view. We have investigated integration with third party solutions
> easy to integrate but they are very expensive, 

 

That's fair. So here's a suggestion. I am aware of a project in which we implemented support for YubiCo (www.yubico.com), as we were able to reuse one of the numerous libraries they make available. Perhaps something like this, where interested users would pay by buying the tokens, and you would integrate the library supported by a third-party.

 

Yubicloud (https://www.yubico.com/products/services-software/yubicloud/) offer free integration for a web API and it's quite straightforward. 

 

I realise nothing is ever as easy and straightforward as it seems, but perhaps a model where you offload the expense to the user on a per-use basis like this could be explored instead of reworking the server and requiring a more recurring workload.

 

Note: I am completely unaffiliated from Yubico, just a (satisfied!) previous user.

Share this post


Link to post
Share on other sites
SpivR

This simply must be prioritized.  It is absolutely impossible to recommend anyone use Domotz as a professional service when there is such a gaping security hole.  Putting a Domotz agent on a client network means the entire network can be penetrated with a brute force password hack.

It is only a matter of time before this explodes into a real problem when black hats realize this hole is out there.

I hope the FingBox / Consumer product line is not draining attention from the main Domotz Product, that would be a shame.

 

On a more positive note, when I was a product manager at a large market leading network equipment company and the engineers told me something that was really needed was hard to implement, I had two replies:

 

1 - if it was easy, we wouldn't have hired you and paid you that nice salary

 

2 - the harder to better.  Once we have it, we can brag and market the heck out of it knowing it will take competitors a long time to catch up.

Edited by SpivR

Share this post


Link to post
Share on other sites
Silvio

Thanks for all the feedback. Definitely the matter is important. I will do my best to provide a realistic/firm date just after CEDIA. 

 

Want to reassure SpivR tha Fingbox is not draining attention away. It is a distinct team, even though we are leveraging each-other expertise and code. The Domotz team is 100% on Domotz as usual.

 

Share this post


Link to post
Share on other sites
mydigitalbubble

Definitely another +1 for re-prioritise 2FA to top of wish list.

Google Auth would be good from my point of view.

Share this post


Link to post
Share on other sites
jarret12

++1 on the 2FA. We will sometimes be using Domotz to manage our own equipment on a larger network that's managed by an MSP and they are much more likely to block Domotz without what is now standard security features like 2FA.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×