Proposed F19 Feature: Enterprise / distributed two-factor authentication
Konstantin Ryabitsev
icon at fedoraproject.org
Tue Jan 29 17:08:43 UTC 2013
On Tue, Jan 29, 2013 at 9:48 AM, Jaroslav Reznik <jreznik at redhat.com> wrote:
> = Features/EnterpriseTwoFactorAuthentication =
> https://fedoraproject.org/wiki/Features/EnterpriseTwoFactorAuthentication
>
> Feature owner(s): Daniel Pocock <daniel at pocock.com.au>
>
> Provide a flexible solution for two-factor authentication on a distributed
> basis, suitable for enterprise and SSO.
>
> == Detailed description ==
> Most OTP solutions for two-factor authentication require some kind of
> storage
> backend for counters or other volatile data. Early implementations work
> with
> flat files on a single host. dynalogin was created to bring stability and
> flexibility, storing counters in just about any type of database. Other
> solutions such as totp-cgi have similar goals (although it only mentions
> Postgres support, whereas dynalogin can use MySQL thanks to UNIXODBC).
> dynalogin has been successfully integrated with the SimpleID provider for
> OpenID authentication.
>
Well, the main reason totpcgi doesn't use MySQL is because it hasn't been a
requested feature so far. Adding support for mysql would be a couple of
hours of work. Notably, using a database for this is a net loss in
security, since not only are we transferring pre-shared secrets over the
network now (hope you connect via ssl), but we also lose extra SELinux
enforcement that is added onto tokens stored on the filesystem. Database
backends should only be used when you want to add multiple redundant 2fa
servers.
(I'm also worried that unixODBC doesn't appear to support advisory locking
that we use in postgresql backend to make sure that we only allow one
member of the redundant cluster to work on a token -- thus preventing
potential race conditions allowing token reuse.)
My main objection, though, is that this feature implies that there
currently isn't a "flexible solution for two-factor authentication suitable
for enterprise" in Fedora. While totpcgi doesn't currently provide a lot of
SSO options (if you don't count Radius -- which you really shouldn't),
that's mainly because there are so many SSO options to choose besides just
OpenID.
Best,
--
Konstantin Ryabitsev
LinuxFoundation.org
Montréal, Québec
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20130129/76820cf1/attachment-0001.html>
More information about the devel
mailing list