Setting up two-factor authentication

Yubikey authentication tokens (Tuskfish 2 only)

You can increase the login security of your website by enabling two-factor authentication. This means that logging in requires both a password (something you know) and a physical hardware token (something you have).

Two-factor authentication is optionally available with a Yubikey hardware token as the second factor. These are not free, but they are very cool and reasonably priced (US$40 and up). Yubikeys plug into a USB port and emit a one-time password (OTP) when you press the button. Tuskfish sends the OTP to Yubico's authentication servers for validation, in addition to evaluating your own password locally. Only if both authentication tests are validated will you be permitted to login.

Please note: Yubikey support is now only available in Tuskfish 2. The old (V1) Yubicloud protocol that was supported by Tuskfish 1 has been deprecated.

Some configuration is required to set up two factor authentication. Here's what you need to do:

  • Buy a Yubikey from yubico.com. Have a Google around for discount coupons, sometimes you can find one.
  • Get a Client ID and API key from the Yubico website.
  • Edit trust_path/configuration/config.php and add the following lines to the end of the file, inserting your own client ID and API key:
// Yubikey
if (!defined("TFISH_YUBIKEY_ID"))
define("TFISH_YUBIKEY_ID", "your_client_id");

if (!defined("TFISH_YUBIKEY_SIGNATURE_KEY"))
    define("TFISH_YUBIKEY_SIGNATURE_KEY", "your_api_key");
  • Trigger your Yubikey in a text editor and copy the first 12 characters of the output. This is the ID of your particular Yubikey (please note, this is a different thing from your client ID).
  • Browse the 'user' table of your database in phpLiteAdmin (see the section on Manually editing your database). Edit the record for the admin user and enter the ID of your Yubikey in the yubikey_id field, and save it. There is a second field if you happen to have a backup Yubikey.
  • Open trust_path/libraries/tuskfish/routingTable.php. You must i) delete (or comment out) the standard username / password login route, then ii) uncomment the alternative two-factor login route, which uses the Yubikey classes:
// Standard username / password login route. Delete to disable.
'/login/' => new Route(
    '\Tfish\Model\Login',
    '\Tfish\ViewModel\Login',
    '\Tfish\View\Single',
    '\Tfish\Controller\Login',
    false),
// Alternative two-factor login route for use with Yubikey. Uncomment to enable.
//    '/login/' => new Route(
//    '\Tfish\Model\Yubikey',
//    '\Tfish\ViewModel\Yubikey',
//    '\Tfish\View\Single',
//    '\Tfish\Controller\Yubikey',
//    false),
  • Visit yoursite.com/login/ and verify that you can now login by entering your password and triggering your Yubikey in the form.

Please note that if you have enabled additional admin(s) on your site they must use separate Yubikeys, as the Yubikey ID is used to identify the relevant user record (you cannot use the same Yubikey for more than one person).

Other hardware tokens

At this stage I have no plans to add support for any other hardware token. If you would like one added contact me and I'll think about it. But here's the deal - if I agree to try and add support for your preferred token you have to buy me one to experiment with, or persuade the company to give me one, because I'm not forking out for it. I'm very happy with my Yubikeys and am not interested in anything else.

Please note that I will not support RSA tokens due to this and this and this and this. Would you?

Copyright, all rights reserved.

Related

Tuskfish CMS User Manual

The user manual provides a comprehensive guide to Tuskfish CMS operations. It covers all all aspects from installation to adding and curating content, managing site security and customisation of themes. For additional information on how to customise Tuskfish please see the developer guide.