Koha 22.11 New Security Features

by Hebah Amin-Headley on May 21, 2023

New Options for Two-Factor Authentication

Koha version 22.05 introduced the ability to enable two-factor authentication (2FA) on staff accounts. Two new enhancements build on that functionality.

While 2FA was made available as an option that staff could opt into via the TwoFactorAuthentication system preference, bug 30588 adds the option "enforce" to the options for systems with more rigorous security needs. With 2FA enforced in a library system, staff will need to authenticate via a time-based, one-time password with a secondary authentication application each time they log into the staff client.

To make the process somewhat simpler, bug 28787 provides the option for an email (or sms if enabled) notice containing a one-time password for logging in after the initial setup has been authenticated via third-party app. An external application is still necessary for initial setup of 2FA. This enhancement adds a new notice, 2FA_OTP_TOKEN, that will send the token to the user via email or sms, with a token that is good for one minute. Further enhancements are in the works to make that duration configurable, but for now, it is hard coded for one minute.

Notification of Password Change

Most times, a patron account password change is performed with full knowledge and permission. That may not always be the case, so bug 25936 creates a new system preference and accompanying notice to inform users that their password has been changed, in case that change was not initiated by the user. The system preference is NotifyPasswordChange, which is set as a default not to notify patrons whenever their password has been changed. With the preference set to notify patrons of any password changes, the notice generated is PASSWORD_CHANGE. The notice by default simply informs patrons that their password has been changed and to notify staff if they were not the one to initiate that change, but it can be customized with more specific ways or to contact the library if an account may be compromised.

Staff client integration for OAuth2/OIDC identity providers

As more libraries move toward single-sign-on authentication, bug 31378 lays the foundation for bringing configuration of authentication services into the Koha staff client. This new functionality, labeled Identity Providers, can be found in the Administration module, under Additional Parameters. Currently, only oAuth2 and OIDC protocols are supported, but it lays a foundation for other protocols in future enhancements.