Setting up two-factor authentication

5 February 2018 | 37 views | Tags: Documentation, Security

Yubikey authentication tokens

You can increase the login security of your website by enabling two-factor authentication. This means that logging in requires both a password (something you know) and a physical hardware token (something you have).

Two-factor authentication is optionally available with a Yubikey hardware token as the second factor. These are not free, but they are very cool and reasonably priced (US$40 and up). Yubikeys plug into a USB port and emit a one-time password (OTP) when you press the button. Tuskfish sends the OTP to Yubico's authentication servers for validation, in addition to evaluating your own password locally. Only if both authentication tests are validated will you be permitted to login.

Some configuration is required to set up two factor authentication. Here's what you need to do:

  • Check that your webserver has the PHP cURL extension installed.
  • Buy a Yubikey from yubico.com. Have a Google around for discount coupons, sometimes you can find one.
  • Get a Client ID and API key from the Yubico website.
  • Copy the file /extras/2_factor_authentication/login.php to /admin/login.php, overwriting the existing file. Do not keep the old login.php on the server.
  • Edit trust_path/configuration/config.php and add the following lines to the end of the file, inserting your own client ID and API key:
// Yubikey
If (!defined("TFISH_YUBIKEY_ID"))
define("TFISH_YUBIKEY_ID", "your_client_id");

if (!defined("TFISH_YUBIKEY_SIGNATURE_KEY"))
    define("TFISH_YUBIKEY_SIGNATURE_KEY", "your_api_key");

if (!defined("TFISH_YUBIKEY_TIMESTAMP_TOLERANCE"))
    define("TFISH_YUBIKEY_TIMESTAMP_TOLERANCE", "600");

if (!defined("TFISH_YUBIKEY_CURL_TIMEOUT"))
    define("TFISH_YUBIKEY_CURL_TIMEOUT", "600");
  • Trigger your Yubikey in a text editor and copy the first 12 characters of the output. This is the ID of your particular Yubikey.
  • Browse the 'user' table of your database in phpLiteAdmin (see the section on Manually editing your database). Edit the record for the admin user and enter your Yubikey ID in the yubikey_id field, and save it. There is a second field if you happen to have a backup Yubikey.

That's it. You should now be able to login by entering your password and triggering your Yubikey in the login.php form.

Other hardware tokens

At this stage I have no plans to add support for any other hardware token. If you would like one added contact me and I'll think about it. But here's the deal - if I agree to try and add support for your preferred token you have to buy me one, or persuade the company to give me one, because I'm very happy with my Yubikeys and am not interested in anything else.

Please note that I will not support RSA tokens due to this and this and this.

Copyright, all rights reserved.

Related

Tuskfish CMS User Manual

The user manual provides a comprehensive guide to Tuskfish CMS operations. It covers all all aspects from installation to adding and curating content, managing site security and customisation of themes. For additional information on how to customise Tuskfish please see the developer guide.