2-Factor-Authentication (2FA)

If you need any help in filling out this wiki page, please visit our ILIAS Community FAQ. And please complete the metadata information in the right column after having created the page.

1 Initial Problem

At the time being, ILIAS does not offer 2 factor authentication. For administrators or for 'sensitive installations' this would be helpful.

2 Conceptual Summary

2FA should be offered as additional authentification method in the core of ILIAS.

3 User Interface Modifications

3.1 List of Affected Views

• … { Please list titles of all views (screens) of ILIAS that should be modified, newly introduced or removed. }

3.2 User Interface Details

{ For each of these views please list all user interface elements that should be modified, added or removed. Please provide the textual appearance of the UI elements and their interactive behaviour. }

3.3 New User Interface Concepts

{ If the proposal introduces any completely new user interface elements, you might consult UI Kitchen Sink in order to find the necessary information to propose new UI-Concepts. Note that any maintainer might gladly assist you with this. }

3.4 Accessibility Implications

{ If the proposal contains potential accessibility issues that are neither covered by existing UI components nor clarified by guidelines, please list them here. For every potential issue please either propose a solution or write down a short risk assessment about potential fallout if there would be no solution for the issue. }

4 Technical Information

{ The maintainer has to provide necessary technical information, e.g. dependencies on other ILIAS components, necessary modifications in general services/architecture, potential security or performance issues. }

5 Privacy

{ Please list all personal data that will need to be stored or processed to implement this feature. For each date give a short explanation why it is necessary to use that date. }

6 Security

{ Does the feature include any special security relevant changes, e.g. the introducion of new endpoints or other new possible attack vectors. If yes, please explain these implications and include a commitment to deliver a written security concept as part of the feature development. This concept will need an additional approvement by the JourFixe. }

7 Contact

• Author of the Request: Bolten, Mischa [mbolten]
• Maintainer: Seeland, Per Pascal [PerPascalSeeland]
• Implementation of the feature is done by: {The maintainer must add the name of the implementing developer.}

8 Funding

• If you are interest in funding this feature, please add your name and institution to this list.
• University of Basel - contact: Gilbert Francz @gilbertfrancz
• Vitos Akademie - contact: Gunnar Hüttl

9 Discussion

Schmid, Fabian [fschmid] 2023-01-09: In the web context, there are many different, mostly proprietary 2FA implementations. For ILIAS, one would therefore have to implement a general plug-in interface, which in turn would have to rely on plug-ins in order to offer 2FA. I therefore recommend going one step further and supporting the standard "WebAuthn" instead of different 2FA methods. In this way, I think we are better positioned for the future with ILIAS. See also https://tracker.moodle.org/browse/MDL-76125

Francz, Gilbert [gilbertfrancz] Gilbert Francz, Universität Basel 2023-01-09: At least for administrator accounts, 2FA should be enabled/mandatory.
Secure software factors would be an authenticator app that implements HOTP/TOTP or a challenge-response protocol.
Secure hardware factors as RSA token, Smartcard or FIDO2 authenticator are preferrable

10 Implementation

{ The maintainer has to give a description of the final implementation and add screenshots if possible. }

Test Cases

Test cases completed at {date} by {user}

• {Test case number linked to Testrail} : {test case title}

Privacy

Information in privacy.md of component: updated on {date} by {user} | no change required

Approval

Approved at {date} by {user}.