Difference between revisions of "User talk:Brad Linden/Login MFA"

From Second Life Wiki
Jump to navigation Jump to search
(Created page with "Greetings Brad. I am backporting the MFA support to my viewer (the Cool VL Viewer) which, being a v1 viewer, does things differently to LL's viewer and TPVs based on it. Noth...")
 
(reply to questions)
 
Line 10: Line 10:


(*) If we except the fact that I do not own a smartphone and will not be able to even test my code !... Could we please get (at least on Aditi, for example) simple (plain text) email-based MFA so that viewer developers (I know that at least NiranV is in the same case as myself) can test the feature with their implementation without the need for a smartphone or any other third party device/application ?
(*) If we except the fact that I do not own a smartphone and will not be able to even test my code !... Could we please get (at least on Aditi, for example) simple (plain text) email-based MFA so that viewer developers (I know that at least NiranV is in the same case as myself) can test the feature with their implementation without the need for a smartphone or any other third party device/application ?
:Greetings Henri, thanks for your time and questions.  Sorry I didn't get back to you sooner.
:# I don't want to add these details to the API spec.  These should be treated as implementation details, but for the purposes of sanity checking, you can inspect the mfa_hash value. The current implementation of the mfa_hash is the concatenation of an ISO-8601 timestamp (for expiration of this hash value) and a hex encoded HMAC-SHA-512 value as output by an [https://datatracker.ietf.org/doc/html/rfc6238 RFC6238] implementation of TOTP, with a comma separating them.  I think the timestamp can be up to 27 or so characters, and the hex HMAC-SHA-512 will be 64 characters so that adds up to 92 characters of text.  Naturally this is subject to change if we add more authentication options beyond RFC6238 TOTP protocol.
:# I believe our QA engineers have had some success using the [https://pyauth.github.io/pyotp/ PyOTP] library for implementing an authenticator for testing without a closed smartphone application.  I don't know the details myself, but I would recommend investigating that if it suits your needs.
:Hope this helps, [[User:Brad Linden|Brad Linden]] ([[User talk:Brad Linden|talk]]) 17:22, 17 February 2022 (PST)

Latest revision as of 17:22, 17 February 2022

Greetings Brad. I am backporting the MFA support to my viewer (the Cool VL Viewer) which, being a v1 viewer, does things differently to LL's viewer and TPVs based on it.

Nothing difficult (*), but I'd like to make sanity checks in my code for the MFA hash I will store (in an LLXORCipher'ed and LLBase64-encoded form) in the user per-account settings (no LLSecAPIHandler in my viewer, and not planing/wanting to backport it). The sanity check is especially useful when retrieving the stored ciphered/encoded hash and decoding/deciphering it.

I therefore need to know whether the MFA hash got a fixed size or not, and if yes, what size it is; is it a MD5 or SHA1 hash, for example ?

So, if you could add details to the API specs about it, it would be great. :-)

Thank you in advance !

(*) If we except the fact that I do not own a smartphone and will not be able to even test my code !... Could we please get (at least on Aditi, for example) simple (plain text) email-based MFA so that viewer developers (I know that at least NiranV is in the same case as myself) can test the feature with their implementation without the need for a smartphone or any other third party device/application ?


Greetings Henri, thanks for your time and questions. Sorry I didn't get back to you sooner.
  1. I don't want to add these details to the API spec. These should be treated as implementation details, but for the purposes of sanity checking, you can inspect the mfa_hash value. The current implementation of the mfa_hash is the concatenation of an ISO-8601 timestamp (for expiration of this hash value) and a hex encoded HMAC-SHA-512 value as output by an RFC6238 implementation of TOTP, with a comma separating them. I think the timestamp can be up to 27 or so characters, and the hex HMAC-SHA-512 will be 64 characters so that adds up to 92 characters of text. Naturally this is subject to change if we add more authentication options beyond RFC6238 TOTP protocol.
  2. I believe our QA engineers have had some success using the PyOTP library for implementing an authenticator for testing without a closed smartphone application. I don't know the details myself, but I would recommend investigating that if it suits your needs.
Hope this helps, Brad Linden (talk) 17:22, 17 February 2022 (PST)