18352: setting up 2FA with YubiKey - LimeSurvey bugs and feature requests

This bug affects 1 person(s).

ID	Project	Category	View Status	Date Submitted	Last Update

18352	Bug reports	Plugins	public	2022-09-14 19:17	2023-07-07 23:04

Reporter	MSouad	Assigned To	gabrieljenik
Priority	high	Severity	block
Status	feedback	Resolution	open

Summary	18352: setting up 2FA with YubiKey
Description	difficulties setting up 2FA with YubiKey. It works just fine with the general account to log in to https://www.limesurvey.org/ but doesn't work with the admin login (https://firm-ifdh.limesurvey.net/admin). how then to make sure the 2FA works with YubiKey
Steps To Reproduce	Steps to reproduce install the plugin (cloud service) try to configure the 2FA, Expected result (Write here what you expected to happen) Actual result The plugin keeps on displaying the QR code, even after selecting YubiKey as authentication tool
Tags	No tags attached.

Bug heat	6
Complete LimeSurvey version number (& build)	Version 5.3.31
I will donate to the project if issue is resolved	No
Browser
Database type & version	447
Server OS (if known)
Webserver software & version (if known)
PHP Version	N/A

User List	There are no users monitoring this issue.

c_schmitz 2022-10-05 19:57 administrator ~72130	The current 2FA options are repetitive or not supported. Remove all 2FA options except for two: TOTP (Google Authenticator, Authy, etc.) Yubikey OTP Yubikey is currently not implemented but most easy to fix, because it is a simple REST call.

chrie 2023-06-22 10:39 reporter ~75783	The issue still exists in Version 5.6.25. It was tested in the cloud version. It doesn't fit maybe right here but account.limesurvey.org should also get the option to use MFA.

gabrieljenik 2023-07-07 23:03 manager ~75987	We believe the Yubikey story could be on its own ticket. The Yubikey seems to fit on a different plugin. 1) The user flow for setting Yubikey is a bit different. Instead of having LS to generate a QR code for inputing in the app, I guess we would need to enter something from the key into LS, right? 2) The token generates from the key I believe has a different validation method. Also, regarding Yubikey is currently not implemented but most easy to fix, because it is a simple REST call. Do you have some docs around it? We found this, but not sure it is the same as you thought. As the Yubikey is not implemented, we though of removing that option. We also though about completing the story just by "removing all 2FA options except for TOTP", but that would leave only 1 option. Is that OK?

Date Modified	Username	Field	Change
2022-09-14 19:17	MSouad	New Issue
2022-09-15 09:30	c_schmitz	Assigned To	=> gabrieljenik
2022-09-15 09:30	c_schmitz	Status	new => assigned
2022-09-15 09:30	c_schmitz	Priority	none => urgent
2022-09-15 09:31	c_schmitz	Assigned To	gabrieljenik => c_schmitz
2022-10-05 19:57	c_schmitz	Note Added: 72130
2022-10-05 19:57	c_schmitz	Bug heat	0 => 2
2023-06-16 10:24	c_schmitz	Assigned To	c_schmitz => gabrieljenik
2023-06-22 10:39	chrie	Note Added: 75783
2023-06-22 10:39	chrie	Bug heat	2 => 4
2023-06-22 14:35	gabrieljenik	Assigned To	gabrieljenik => p_teichmann
2023-06-22 18:00	p_teichmann	Assigned To	p_teichmann => gabrieljenik
2023-06-22 18:11	gabrieljenik	Priority	urgent => high
2023-07-07 23:03	gabrieljenik	Note Added: 75987
2023-07-07 23:03	gabrieljenik	Bug heat	4 => 6
2023-07-07 23:04	gabrieljenik	Status	assigned => feedback