Skip to content

Instantly share code, notes, and snippets.

@DanielOaks DanielOaks/acc-mfa.md
Last active Feb 1, 2019

Embed
What would you like to do?
title layout copyrights
ACC Multi-Factor Authentication
spec
name period email
Daniel Oaks
2019
daniel@danieloaks.net
name period email
Shivaram Lingamneni
2019
slingamn@cs.stanford.edu

This document specifies a multi-factor authentication mechanism for IRC login that works alongside existing SASL methods.

The ACC MFA command

The ACC MFA command is used to enable and disable Multi-Factor Authentication methods, and to sign in with MFA. It is based on the existing ACC command framework.

The ACC MFA ENABLE sub-command

ACC MFA ENABLE <method> ...params...

The ACC MFA DISABLE sub-command

ACC MFA DISABLE <method>

The ACC MFA LIST sub-command

ACC MFA LIST

The ACC MFA IDENTIFY sub-command

ACC MFA IDENTIFY <method> ...params...

The ACC MFA REQUIRED message

ACC MFA REQUIRED <method>{,<method>} <info>

The ACC MFA DATA message

ACC MFA DATA <info>

MFA Methods

Time-Based One-Time Password Algorithm (TOTP)

The totp method is based on the TOTP RFC, as well as the otpauth URI that has become the standard format for transmitting TOTP parameters.

Below lists the format of various ACC MFA subcommands when using TOTP.

ACC MFA ENABLE TOTP

When enabling the totp MFA method, servers generate TOTP parameters, and a standard QR code containing an otpauth: URI. This QR code is then displayed to the user through a number of ACC MFA DATA messages. The specific display method should be:

ACC MFA DATA <>*64
... specify some ASCII/Unicode way of displaying it here, with colour codes 0/1 ...

Examples

Signing-in with TOTP MFA

Client: CAP LS 302
Client: NICK dan
Client: USER dan 0 * :Modern Client
Server: CAP * LS :sasl=EXTERNAL,FOO,DH-AES,BAR,DH-BLOWFISH,FOOBAR,PLAIN batch cap-notify
Client: CAP REQ :sasl
Server: CAP dan ACK :sasl
Client: AUTHENTICATE PLAIN
Server: AUTHENTICATE +
Client: AUTHENTICATE ...
Client: AUTHENTICATE amlsbGVzAGppbGxlcwBzZXNhbWU=
Server: ACC MFA REQUIRED TOTP :Two-Factor Authentication Required (/ACC MFA IDENTIFY TOTP code)
Client: ACC MFA IDENTIFY TOTP 142534
Server: 900 dan dan!usr@localhost dan :You are now logged in as dan
Server: 903 dan :SASL authentication successful
Client: CAP END
Server: 001 dan :Welcome to the oratest Internet Relay Chat Network dan
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.