as I have seen you already implemented Google Authenticator and Duo Mobile. I have been playing around with Duo Mobile a little bit. It works quite well. There is some kind of hicup sometimes which lies within the Duo Mobile code. Duo Mobile is a nice little thing that needs an user account (there are free accounts that are limited so companies are driven to paid accounts). After signing in at Duo Mobile, you can add for Teampass as an application a Web SDK and are presented with two keys an an hostname-api. These two keys you insert in the corresponding fields within Teampass admin-area and create a Teampass-specific application key. After saving, you are ready to go. Prepare your mobile devices (Android, iOS) with installing the free Duo Mobile app. You can edit the Policies within Duo Mobile to enable Self Service - so you are able to add as many devices to a user.
Duo Mobile enables a 2 factor authentication with many different methods:
- Duo Mobile Push Message (your device needs to be online)
- Duo Mobile Passcode (works even offline)
- SMS Passcodes
- Hardware Token OTPH/TOTP/Yubikey AES
- Fido U2F
Yubicos YubiKeys do offer U2F. However it requires one of the following tokens YubiKey 4, YubiKey 4 nano, YubiKey 4C,
or FIDO U2F Security Key. Any other YubiKey does not provide U2F. All YubiKeys (except for the FIDO U2F) provide static passwords, OTP, OATH – HOTP (Event), OATH – TOTP (Time).I'm currently using a YubiKey with a static password in combination with my memorized passphrase. Strictly that is no real 2 factor authentication, but provides a nice and long password with a very good entropy. It is an easy way to strengthen security without modifying the source code ;)
using yubikey gives you a wide range of authentication methods - most common is the usage as one-time-pad. This is the standard authentication the yubikey is coming with.
Under https://www.yubico.com/ you can find further information. Under https://demo.yubico.com/ you can see how a Yubikey may be used.
I have been experimenting more into this idea and found that it is a beginning, but lacking a certain sophistication to make it really usefull.
It lacks a hierarchy that makes it easier to handle growing structures as well as inheritance.
I have been experimenting a little bit with the knowledge base. It gives me a way to add to each ressource Entries. That might do the trick. I'm investigating a little bit more into this direction.
I've been thinking, that the logging could be used for that. However that means, any user needs to use TeamPass actively.
I was more going into the direction add to each entry a list of "using ressources" (e.g. e-mail addresses, source files where the password is used, ...). So when you need to change the password, you can notify all ressources. And the other way around, if one of the ressources gets compromised - you can retrieve a list of all credetials that need changing.
Customer support service by UserEcho