This the first time I can't find an option to generate 2FA codes with a 3rd party app.
My team has a centralized repository of passwords and tries to make sure no-one uses personal devices/phones to generate/recieve 2fa codes.
I there a way to use 1pass to generate 2fa codes for SendGrid?
Related
We want to use SSO for a group of apps (this will include GitLab, probably Drupal and a bunch of small apps I will write in Symfony for various tasks). We would like to currently use Google accounts to authenticate all apps, but because there are limits (I know you can increase them) on how many apps you can have and Google sometimes change what features are free, it would be good to have the option of using our own login down the track if needed.
I have used SimpleSAMLphp in the past with GitLab (using a database to store credentials) and it worked well. Is there a way that I can use the Google Auth as an IDP and have SimpleSAMLphp record the email address to link the accounts etc and allow me to add things like groups etc in to send down to the app when a login happens? I would put a password field in the login table in the database as well so that if we decide to move away from Google we can generate random passwords and continue without too many issues.
The information I find online is for using SimpleSAMLphp as the IDP for gsuite etc (we will be using general Google accounts, not ones in gsuite) and not the other way around. I also couldn't see any Authentication Modules for Google authentication. Are there any tutorials or instructions anywhere on this?
You can accomplish what you are asking fairly easily. Instead of integrating your SPs with Google directly, integrate them with an SSP idP you control, then set up your authentication page (i.e. the page redirected to by your authsource module) to be an SP for Google. Here's what that looks like:
vendor sp -> your SSP idP -> your login app -> your SSP SP -> google idP
This way you end up with only a single Google integration configured for all your vendor integrations. There are numerous benefits to this approach:
You aren't affected by # of integration constraints imposed by google
Since your vendor SP integrations are controlled on your own server, you can easily move to a different cloud-based idP for authentication in the future without having to re-integrate all your SPs
You can easily give your users alternate sign-in choices if you want.
You aren't constrained to SAML or protocols supported by Google. Many vendors still use proprietary token based authentication. These can easily be supported with this setup.
Happy to help with implementation details if you need it.
I am using forgot password to change my GitHub password, but it's required 2FA credentials and I lost the 2FA app as well. So is there any I can change my password without using 2FA credentials?
A list of possibilities is given in this help page on GitHub.
To summarize, you can recover your account on your own, even after losing your 2FA app, if you (already) have:
A recovery code: you can download and safely keep a list of backup codes for situations like this.
A fallback number: a second phone number associated with your account.
A security key: you can have, for example, a physical USB stick as a security key.
Without this, there are two more methods provided, but will take longer and are not guaranteed to recover your account:
Using a verified device, SSH token, or personal access token: you can apply for account recovery by proving that you are logging in from a device you have used before, or using a SSH or personal access token that has been used before. The request will be then manually considered by GitHub support.
Using an account recovery token on Facebook (if you have set it previously): This also requires manual verification.
In general, to avoid such issues in the future, it would be advisable to download (and perhaps print a physical copy) of recovery codes for each service you use 2FA with, as that would be one of the easiest and fastest ways to recover your account.
I'm using activesync to sync exchange emails, where the authentication happens using basic auth. I was wondering if it's possible to use activesync with a single sign-on solution?
The only way to implement SSO on ActiveSync is with Certificate based authentication. ActiveSync has no support for identity federation, hence no SAML, OAuth, ... Setting up an internal CA is not that complicated, especially if you use Microsoft's CA: ADCS. Simply follow the instructions in the link from BastianW.
You will then need an Enterprise Mobility Management tool like AirWatch, MobileIron, ... to integrate with your CA and distribute the certificates seamlessly to your users.
I assume with SSO you wish to implement a way where your users can use there mobile phones without the need to adjust her password every time when they change there password inside the active directory. The solution to do that is using "certificate-based authentication for Exchange ActiveSync". Via that approach an internal CA will create an certificate for the user which can be used on the mobile device to authenticate an ActiveSync session against your Exchange environment. As long as the certificate is valid the user can use that on there mobile device instead of an password.
Keep noted that this required a higher workload for the IT department (for most my customers) so most of them started to use a MDM environment which can push these certificates to the enrolled devices nearly automatically. AirWatch for example can do that (but there might be other, however I can only speak from AirWatch as this is in use by 6 customers).
And just another advise how we build that: We added additional IPs to the Exchange environment then configured an additional ActiveSync side with certificate authenticated. Then we could test the whole solution and later one switch over the user. But if you do not have that much users you might considering a "big bang" migration.
Simple activesync via BasicAuth is not really "the way".
E.g.: Airwatch is using the "Mobile Email Management", which works like an Proxy to your network. Working that way, you can use SSO via AD / LDAP and so on...
I would highly recommend doing it that way.
I recently wanted to use one of my old project specific GitHub account, where the two factor authentication was enabled. Since I was not able to remember the password I used the option Forgot password and reset the password.
However after successfully changing the credentials, GitHub is as usual expecting the two way authentication key, since I was not having the same device now, I don't have the GitHub configured to get the Two way authentication, neither I have any more information about the account, rather than my login credentials.
Is there any way I could get the two - way refactor working. Or I could login?
If have the credential of the GitHub account, you can login to said account, and enable 2FA
Then you can generate a PAT (Personal Access Token) in order to use that as a password (and bypass the 2fa step when pushing in command-line).
Personal access tokens are useful when it's too cumbersome to provide a client/secret pair for a full application, such as when authenticating to GitHub from Git using HTTPS, or within a command line utility or script.
Later I reset my password , and I was't having the device which i had configured my DuO Mobile. How could I login now. It is asking for 2FA and I don't have any way to provide the key.
Then you would need to follow "Recovering your account if you lost your 2FA credentials"
Having access to your recovery codes in a secure place, or establishing a secondary mobile phone number for recovery, will get you back into your account.
Let’s say I have a contract between two parties published on the Web. I want both parties to be able to sign the contract to show they consent to the terms, the way they would with handwriting in real life. I have seen many TOS agreements online where this is done with just a check box, but I want to go a step further and enable each party to assert that the signature is theirs and not a forgery (somebody else checking the box for them).
Assuming the page is already served via HTTPS and username/password combos are not an option, which cryptographic technology is best suited for identity validation: PGP, SSL, or something else?
How might I do this using only HTML and a LAMP server on the other end, in such a way that the process is as automated as possible while still being secure? Code samples are obviously welcome but not necessary; I’m just trying to conceptualize it: do the contents of the contract have to be included in the signature? Do I have the users upload public keys or something? I’m no crypto expert so that’s where I get lost.
SSL is a transport security mechanism, it's not applicable.
You can use OpenPGP or you can use PKI (X.509 certificates and CMS format). These technologies let you sign the data twice or more times without invalidating previous signatures - this is done by using detached signatures.
The choice of what (PGP or PKI) to use is yours - these technologies can be used in similar scenarios, but have different ways to authenticate keys: in PGP user keys are signed by other users, while in PKI certificates are signed by certificate authorities, which is supposed to have more credibility.
When you "sign the document" using cryptographic signature, from technical point of view it's a hash of the document that is signed. The hash can be calculated on the server and sent to the client for signing, then the detached signature is transferred back to the server. So you can keep the document on the server, and private keys used for signing will not leave the client.
However, to do actual signing on the client, you need some module which will communicate with the server and do the job. You can't go with just a web browser - some browser plug-in is required. The reason is that Javascript "cryptography", even if it technically allowed access to client-side keys stored in files or on cryptographic devices, has certain conceptual flaws which make it almost useless. So you end up with using something more trusted and secure, i.e. signed applet or ActiveX control or Flash script.
Our company provides various security components, among which there are components and modules for distributed signing (including above mentioned plugins). These modules are for PKI operations (though in general we also have components for OpenPGP operations, these components don't support distributed signing at the moment).
And I should note, that "automation" here is possible to extent when the user chooses the certificate to use and clicks "sign" button (for example). You can't sign anything without user's explicit action. In some cases the user would also need to provide a PIN / password which protects a private key from being misused.