2factor auth

[Toshio Kuratomi]

On Tue, Oct 18, 2011 at 08:19:28AM -0400, Stephen Gallagher wrote:
> 
> It might be worth revisiting the discussion about a potential FAS3 built
> atop the upcoming FreeIPA v3 (which will have this support).

We discussed on IRC the blockers for this.  Hopefully at FUDCon the
immediately known blockers will have been resolved and we'll get a demo of
what a system with freeipa could look like.

Once question that popped into my mind right now is will we have the ability
to specify that different groups and different users have different
requirements/access methods?

In the talks that we've had so far... it looks like we're desiring something
similar to this:

sysasmin-main and possibly sysadmin* => Mandatory two factor.  Password
+ any supported otp solution (yubikey or some otp via android).

all others non-mandatory two-factor.  Same technologies as above.  User
selects whether to make two-factor mandatory or not.

May need to allow single factor to login at times in the web application as
well -- this is a big unknown.  If someone loses half of their two-factor
auth, how are we going to reset their account.  For sysadmin-main, we figure
the pool is small enough that we can call each other or otherwise arrange
some way to verify that the person is really who we think they are.  So it
would be manually verify and manually reset.  For other Fedora groups, the
knowledge we have of a person and their connections to others inside Fedora
Infrastructure is much less.  It may be that for some of those groups we
allow them to reset their own 2nd factor auth with only a single factor
(after all, we're allowing their colleagues to use only a single factor all
the time)....

-Toshio

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20111018/3067df11/attachment-0001.bin