Project

General

Profile

Actions
Copy link

Feature #35001

closed

Disable API authentication with username and password when two-factor authentication is enabled for the user

Added by Go MAEDA over 3 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Marius BĂLTEANU
Category:
Accounts / authentication
Target version:
5.0.0
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

In Redmine 4.2, two-factor authentication has been introduced.

When two-factor authentication is enabled, it becomes difficult for an attacker to log in to Redmine even if he knows the username and password.

However, API authentication is not covered by two-factor authentication. Currently, there are three methods of API authentication:

1. send the user's API key via X-Redmine-API-Key header
2. basic authentication with the user's API key ( username is the API key and password is a random string)
3. basic authentication with user name and password

If you have two-factor authentication enabled, I think the third method will be problematic. This is because even though the web UI can prevent an attacker from logging in with an illegally obtained username and password, they can still use that username and password to access the data via the API.

To address this risk, I suggest disabling basic authentication with username and password for users who have two-factor authentication enabled.

Files

35001.patch (1.88 KB) 35001.patch Go MAEDA, 2022-01-16 08:58

Related issues

Related to Redmine - Feature #1237: Add support for two-factor authenticationClosedGo MAEDA2008-05-14

Actions
Related to Redmine - Defect #41220: API Access does not require second factorClosed

Actions
Actions
Copy link

Also available in: Atom PDF