Two-Factor Authentication for MediaWiki with Duo Security
Two-factor authentication can be the difference between a major compromise and just a fleeting annoyance for a company. While there have always been a few multifactor authentication options on the market, they rarely have gone to the lengths that Duo Security has to provide multi-language, multi-device, and multi-application support for two-factor implementation with one service. I won't go into the details of all that they offer, but it's important to us and our clients to have a solution that can cover many avenues of technology seamlessly.
One such need that is often overlooked when evaluating infrastructure integrity are the all-too-vulnerable corporate web applications (e.g. blogs, content management systems, and wikis). While many companies spend large amounts of their time deploying quality firewall infrastructure, the public-facing web applications behind that firewall rarely get the treatment they deserve for security forethought.
While it's easy to say that a wiki may not be a real 'target' for attackers, it's important to remember that with general password reuse, it's convenient for an attacker to leverage stolen credentials against you, and could bounce from that mundane wiki into other parts of your infrastructure. The strategy of defense-in-depth should protect assets from being compromised if only a single point of a security mechanism has been beaten. If a user happens to get phished, that shouldn't allow an attacker to become an administrator on your corporate wiki or otherwise.
Recently, I deployed an internal wiki for the company using MediaWiki and wanted to ensure that we were following best practices by implementing two-factor authentication, even though the exposure was limited by design. Luckily, Duo Security recently published their two-factor authentication module for MediaWiki. Having had a chance to deploy it, I felt like this may be a topic that would be of interest for the many companies deploying wikis without that added protection. Here are a few quick implementation notes:
- Download the latest copy of the MediaWiki plugin from the Duo Security GitHub
- Copy the zip into the MediaWiki 'extensions' folder on your server and uncompress the file
- Ensure that the plugin folder is called 'DuoAuth'
- Edit your 'LocalSettings.php' file to include the following plugin directives:
- require_once( "$IP/extensions/DuoAuth/DuoAuth.php" );
- $wgRedirectOnLogin = 'Special:DuoAuth';
- $wgDuoIKey = '[The app's integration key]';
- $wgDuoSKey = '[The app's secret key]';
- $wgDuoHost = '[api-host].duosecurity.com';
- Finally, if you are using MediaWiki in 'Private Wiki' mode, add this final directive to your 'LocalSettings.php' file:
- $wgWhitelistRead = array("Special:DuoAuth");
These changes should make the MediaWiki installation require Duo Security following your initial login. Beyond MediaWiki, Duo Security also offers WordPress, Drupal, and Expression Engine (forked from original Duo Security module) plugins on the blog/CMS front. If those don't fit your needs, check out the rest of the Duo Security GitHub account for a collection of programming language development kits and build your own!
While two-factor authentication isn't a panacea to all security issues, it certainly mitigates the impact of a single set of user credentials getting stolen. It's important to understand that just because credentials to a web application seem unimportant, does not mean that the impact from such a compromise won't have cascading effects into the whole of your infrastructure integrity.