Devolutions ForumDevolutions Forum

Correct implementation of two factor integration

0 vote

avatar
sky

Currently, I can only register a single instance of PVM to my Google Authenticator or Duo Mobile 2FA applications. This is because PVM incorrectly binds the vendor ID ('PasswordVaultManager') to the account field instead of the application field and does not allow the user to uniquely identify the 2FA pairing using the account field (e.g. 'home' or 'user@email.nul').

--sky

All Comments (10)

avatar
David Hervieux

Hi,
We did that to keep it simple. I will make sure to allow the option to override it.

David Hervieux

avatar
sky

Excellent! Thank you.

avatar
Hubert Mireault

Hello,

This should be available in the current beta version of RDM. You can download it here: http://remotedesktopmanager.com/Home/Download#beta

This is available in File > Options > Security tab. This won't affect the 2 factor authentication for the datasources, just with RDM. If you can give it a try and give us some feedback, it would be appreciated.

Regards,

Hubert Mireault

avatar
sky

I will give it a whirl, sir!

avatar
sky

Observations:

Able to add custom account OK. But, the application field is blank (see attached image for example).

Embedding a slash (/) in the account identifier caused the bar code reader to fail, as the string must be URL escaped before being passed to the API.

avatar
Hubert Mireault

Hello Daniel,

When I put in a "/" or %2F, both of them resolve to a "/" in the google authenticator account name without the bar code reader failing, could you give me an example of what you write in that makes the reader fail?

As for the application field, I'll see what I can do and get back to you about it. I think the picture didn't post with your last post, so if you could try reposting the screenshot, it'd be appreciated.

Regards,
edited by Hubert Mireault on 7/9/2015

Hubert Mireault

avatar
sky

Here's the image I meant to link: https://dl.dropboxusercontent.com/u/12998605/rdm/IMG_0068.jpeg

avatar
sky

I entered 'RDM / sky.schulz@2k.com' and when trying to link the account got the following error message in Google Authenticator: https://dl.dropboxusercontent.com/u/12998605/rdm/IMG_0069.PNG

avatar
sky

I think it's just a matter of binding the issuer parameter: https://github.com/google/google-authenticator/wiki/Key%20Uri%20Format

The recommended practice is to both prefix the Label and include the Issuer parameter with issuer identity, to prevent account collisions: https://github.com/google/google-authenticator/wiki/Conflicting-Accounts
edited by sky@ogn.org on 7/9/2015

avatar
Hubert Mireault

The issuer feature will be implemented in the next RDM version.

As for the issue with the QR code not working properly, it has to do with the spaces. It seems the iOS version of Google Authenticator is unable to scan QR codes that link to URLs with spaces, even if the characters are escaped. I hadn't seen this issue since I tested with the Android version. There doesn't seem to be a way around it, so the spaces would have to be removed if using Google Authenticator with an iPhone.

Regards,

Hubert Mireault