We have been working recently on key security features for Canaille, as parts of our NLNet grant.

Security

During this sprint we focused on implementing security recommandations advised by the French cybersecurity public agency "ANSSI".

Multi-factor Authentication

In the old days, asking for a password was considered sufficient to verify the identity of a person on the internet. However, there are multiple ways to guess a password or steal it from someone, and users quickly began to form less than ideal habits around them - like using the same password on every websites. But it's not just passwords. Software developers came to the realization that, especially for sensitive applications, you can't get away with using a single authentication method: every one of them has its weaknesses, and can eventually be cracked.

The solution was found in asking users to authenticate themselves using two or more authentication methods, or factors - hence the name multi-factor authentication.

For an identity management software like Canaille, this was a key feature to have, and we implemented it for four different methods:

• HMAC-based one-time password (HOTP)
• Time-based one-time password (TOTP)
• Code sent via email
• Code sent via SMS

The HOTP/TOTP methods require the user to download and set up an authenticator mobile app or software (like FreeOTP), which will in turn produce one-time passwords. These passwords change periodically (each time you press the button in your authenticator for HOTP, or after a fixed period for TOTP), which makes it harder for attackers to get their hands on a password and use it in time. These are probably the most secure authentication factors available now for Canaille.

The remaining two factors (codes via email or SMS) are more basic but still offer a better security when combined with the password. They might be adapted for use cases where ease of use appears more important than security. The email method requires the administrators of the Canaille instance to have configured a SMTP server. Likewise, a functioning SMPP server is needed for the SMS method.

These factors can be stacked, up to 3 different factors (HOTP and TOTP, using the same authenticator app, are mutually exclusive) in addition to the traditional password. The user will then need to fill out all the required codes in order to log in to their account. The MFA feature can also be deactivated completely - in that case the user will only need their password to login.

Intruder lockout

To prevent brute-force attacks on Canaille accounts, we added a delay between each failed login attempt. The delay doubles each time someone enters a wrong password. We also considered locking accounts after a given number of failed attempts, but this would have made it too easy for attackers to lock all user accounts.

Security events logging

In order to facilitate the detection of a potential attack on a Canaille instance, we added logging for sensitive events. Those logs are marked with a special "security" tag for easy retrieval. They can be configured to be written in a separate file than usual log entries.

Logged security events include authentication attempts, password or email updates, emission or revokation of OAuth tokens, and more.

Password compromise investigation

Since users tend to reuse the same passwords (with some small variations in the best case), it is now possible to check if each new password is not in a compromised passwords database, thanks to the Have I Been Pwned's API.

HIBP offers a free API endpoint that can be consulted for compromised passwords.

Password expiry policy

In order to increase the security of user accounts, it is now possible to determine a lifetime for passwords. When a password expires, users are forced to update their password on their next login, or during their session if already logged in.

Provisioning with SCIM

Canaille provides a SCIM server implementation, that can be used by client applications to manage users and group directly in Canaille (given the rights permissions). In the future we would love to build a small service subscription management application, and SCIM is a well suited protocol for such an application to communicate with Canaille.

Thanks to our recent work on SCIM we had almost everything ready to add a server-side implementation of SCIM. It was also a way to test our SCIM libraries in a real-world situation. In the end, this integration made us fix a lot of things both in our SCIM toolbox and in Canaille.

Documentation

Internationalization

To make Canaille more accessible, we spent some time to make our translation translatable. The translation interface is available on Weblate. We also translated the documentation in French to validate the mechanism. This was also an opportunity for us to review all the existing documentation and fix wording errors and typos.

Theming

We also have worked on the theming documentation to help users customize how their Canaille instance looks. We wanted to reference and document all our templates, to help designers modify them. To achieve this we had to fork an old unmaintained library into a new library jinja-autodoc for automatic template documentation generation. We cleaned it, made a few improvements, and pushed it under the sphinx-contrib organization.