CodeWatch Update – Two Factor Access

I updated the authentication features of CodeWatch over the weekend to support two-factor authentication (2FA). This is an update I’ve wanted to make for a while but never seemed to have the time due to other commitments or projects. I waited a few days so that I could test before posting. If you have an account, you can now go into the “Account” tab and click the “Two Factor” option to configure this setting.

What this means is that you can add a second factor of authentication to your account. For more information on 2FA, see this Wikipedia entry. The system currently supports two different 2FA options; SMS based phone 2FA and email based 2FA. All you have to do is enable 2FA for your account, configure email or phone based 2FA, and then enter a PIN. The PIN can really be any value and might be a little overkill (think second password, but without the same complexity and length requirements).

I am using the Time-based One Time Password Algorithm (TOTP) to create the 2FA token. You can read more about this here. I leveraged information from the PHP site here as well as this Github project here for implementation in my app.

Additional security properties include:

  • The token length is 8 digits.
  • I am using the openssl_random_pseudo_bytes function with a 32 byte length value to generate a random key to seed each TOTP token.
  • The token is only valid for 180 seconds. I felt this was a reasonable time to receive and enter the token.
  • The token is stored in memory and is single use only; it is removed after the first successful usage or after the 180 seconds has expired.
  • The PIN used in combination with the token is stored as a hash using bcrypt, an IV unique to each account, and a work factor.

I decided to use Twilio for SMS based integration. I had never used Twilio before but was happy to find that for my simple purposes it was crazy easy. It took maybe a few minutes to figure out, implement, and test.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: