Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?
-
Hi,
I am wondering if some might have run into the same question / situation and what was the outcome.
The idea:
Creating Cloudron users with mandatory 2FA authentication
Upon 1st login, the user is then mandated to setup 2FA to access Cloudron's dashboard and thus the installed applications.Ideally, I would like for the user to be able to setup of their 2FA authentication token within the Cloudron 2FA-installed app.
However, this is currently not possible since the access to the 2FA app is conditioned by.... accessing the dashboard and thus a successful Cloudon login.So, the chicken and the egg situation.... unless, I am overlooking something?!?
Would anyone see any way around this?Possibly there are also some security concerns (2FA app on the same server as the user directory kind-of-thing) which I have not entirely drawn out, simply out of the fact that I am not sure that the above is possible to do.
Many thanks for any related inputs here.
-
I think Cloudron's 2FA token has to put in elsewhere and not saved in the same 2FA app itself. There are also situations where if you lose your password then you cannot reset it (since reset password requires 2FA code) . Of course, in that case, you cannot login to 2FA app either.
-
Hi,
I am wondering if some might have run into the same question / situation and what was the outcome.
The idea:
Creating Cloudron users with mandatory 2FA authentication
Upon 1st login, the user is then mandated to setup 2FA to access Cloudron's dashboard and thus the installed applications.Ideally, I would like for the user to be able to setup of their 2FA authentication token within the Cloudron 2FA-installed app.
However, this is currently not possible since the access to the 2FA app is conditioned by.... accessing the dashboard and thus a successful Cloudon login.So, the chicken and the egg situation.... unless, I am overlooking something?!?
Would anyone see any way around this?Possibly there are also some security concerns (2FA app on the same server as the user directory kind-of-thing) which I have not entirely drawn out, simply out of the fact that I am not sure that the above is possible to do.
Many thanks for any related inputs here.
@uwcrbc I am having people use vaultwarden which is independent of the Cloudron SSO. So you can onboard them there simultaneously.
-
Was discussing this with a friend yesteday and an analogy he gave me was this is like saving the password manager's password in the password manager itself
This won't end well ultimately@Joseph I understand this this is not the absolute highest level of security and you'd be better off storing your 2FA keys in a separate module, but in practice this will decrease your security only very little. I'm also hosting Vaultwarden on a separate server than the cloudron they're using so this is also an improvement
-
@Joseph I understand this this is not the absolute highest level of security and you'd be better off storing your 2FA keys in a separate module, but in practice this will decrease your security only very little. I'm also hosting Vaultwarden on a separate server than the cloudron they're using so this is also an improvement
@andreasdueren ah no, I was referring to the initial post. vaultwarden is fine because it doesn't have Cloudron SSO. This means that you can't get locked out of Vaultwarden and cloudron since they don't share passwords. In OPs situation, 2FAAuth app and Cloudron are sharing the same password (like in the case of a password manager storing it's own passworD)
-
@andreasdueren ah no, I was referring to the initial post. vaultwarden is fine because it doesn't have Cloudron SSO. This means that you can't get locked out of Vaultwarden and cloudron since they don't share passwords. In OPs situation, 2FAAuth app and Cloudron are sharing the same password (like in the case of a password manager storing it's own passworD)
@joseph said in Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?:
vaultwarden is fine because it doesn't have Cloudron SSO
Yet. Vaultwarden itself does now support OIDC.
-
@joseph said in Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?:
vaultwarden is fine because it doesn't have Cloudron SSO
Yet. Vaultwarden itself does now support OIDC.
-
@joseph said in Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?:
vaultwarden is fine because it doesn't have Cloudron SSO
Yet. Vaultwarden itself does now support OIDC.
@jdaviescoates said in Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?:
@joseph said in Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?:
vaultwarden is fine because it doesn't have Cloudron SSO
Yet. Vaultwarden itself does now support OIDC.
Or it looks like it will shortly
- So would hope for Cloudron SSO to be integrated also!
Yet in this case 2FA or the 2FA of Vaultwarden does not really matter, ultimately the issue is the same:
- How to setup Cloudron 2FA with a cloudron-installed 2FA application.
@joseph said in Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?:
Was discussing this with a friend yesteday and an analogy he gave me was this is like saving the password manager's password in the password manager itself
This won't end well ultimatelyAs mentioned, I get some of the security concerns of having the 2FA related application on a server requiring the same 2FA token to be usable, but there is also no denying the advantages:
- A central point to manage this app and related-mechanism rather than spreading thin over various servers / architecture / platform
- Especially on a product/service (Cloudron) that allow for user administrations, administration of the app itself and administration of the 2FA security setting on the same architecture
In a limited context (single or small number of users), the resources cost related to on-boarding administering and supporting, often non or limited security-literate users, can be apprehended with a simpler concept, whatever this one might be (e.g. 2FA app of the user's choosing etc..).
However, in a different scenario, where the number of user grows, SOPs make sense to be able to strike a reasonable balance between security, scalability and sustainability of the services.
This is within this context that my original question fit in - chicken and egg?In the end, I would envisioned a situation where Cloudron admins have their 2FA hosted somewhere else (to mitigate security-related / lock up concerns), but end users would benefit from a 2FA Cloudron related app.
Hopefully this make sense also - thank a lot for the inputs already!
