Draft: Plone Multi Factor Authentication

[loechel]

PLIP (Plone Improvement Proposal)

Responsible Persons

Proposer: Alexander Loechel (@loechel)

Seconder:

Abstract

Plone stands for security, so Plone should support multi factor authentication (e.g. OTOP, FIDO2, Passkeys) out of the box and additional with SSO Systems (SAML2 and OIDC).

Motivation

Making Plone more secure and also helping martekting Plone as a secure System that support advanced security features.

Assumptions

Proposal & Implementation

Implement various Multi Factor Authentication Schemes:

• OTOP (Authenticator Apps)
• FIDO2 Hardware Token --> https://www.yubico.com/authentication-standards/fido2/ --> https://github.com/Yubico/python-fido2
• PassKeys --> https://passkeys.dev/docs/tools-libraries/libraries/

Deliverables

A Plone Control Panel for Authentication that let you select if MFA is required, and for with base Role you want it to be enforced.

Options should be:

• not enabled
• optional for user
• enfoced for adminstrators
• enfoced for all users

Both needs beside a Backend integration a frontend part in Volto and PloneClassicUI

Risks

Make Plone more complicated.

Participants

[tisto]

@loechel +1 from me. However, would it make sense to split this PLIP into smaller PLIPs that can be tackled individually?

[davisagli]

@tisto I think it would make sense to do some more work on the UX design for this with the goal of supporting multiple MFA systems in mind. Then we could prioritize and split into separate PLIPs for implementation once we have a clear idea of what framework they should fit into.