2 factor auth using openid proposal
Toshio Kuratomi
a.badger at gmail.com
Thu Jan 24 17:05:39 UTC 2013
On Thu, Jan 24, 2013 at 09:07:44AM -0700, Kevin Fenzi wrote:
> Patrick has written up a proposal to use openid's two factor auth with
> our various apps and fas:
>
> https://fedoraproject.org/wiki/User:Puiterwijk/2factor_policy_proposal
>
> Feedback welcome. ;)
>
Gave him some feedback on IRC. Will summarize here:
* After those are done, add googleauth provisioning to FAS so we can treat it the
same as yubikey provisioning
* Should the checkbox to enable 2fa not be able to be turned off? If you
type in your password and 2fa, perhaps it should be able to be turned off.
* I know that implementing 2fa to log into fas will cause a lot of breakage
that we'll have to fix before we deploy:
- session cookie for fas would have to change so you don't have SSO
between FAS and other apps.
- python-fedora api would need to be modified so it can log into fas.
- web apps would need to be modified so they could log into fas
with/without 2fa
- Note: Openid doesn't work for most of our web apps because we need group
information and openid doesn't provide that.
- Why do we want to have a second page to type in the otp instead of
a single page? Single page makes logging in programmatically easier
I think.
We could think these scenarios through and come up with a more detailed
plan of action (Maybe there's an openid group extension that we could
implement, for instance).
Here's an alternative, though:
- Instead of protecting FAS login, protect changing of the authentication
information stored in FAS. We already require you to type in your
password when changing your password. Let's change that to this:
+ If you want to change your passwword, yubikey, googleauth, or security
question/answer, you need to type in your password and either a yubikey
or googleauth otp.
+ If you are enrolling your first password (account creation only -- not
currently how we do it; we currently set up an initial password that
the user then has to change) you would not be required to type in a
previous password/otp
+ If you are adding your first second factor (ex: yubikey without either
yubikey or googleauth already setup) then you do not need to type in
a second factor, just your password. Adding a second 2fa would
require typing in your previous 2fa, though (ie: if you already have
yubikey and you add googleauth)
Another alternative would be to turn on 2fa for other web apps that use
SSO with FAS. That would make coding around the session cookie disappear.
python-fedora would still need some modification to handle logging in
slightly differently (It would need to prefer the session cookie over
a username + password if an otp was given as the otp wouldn't be good for
subsequent attempts. Probably want to add a new otp parameter to logging in
via python-fedora to differentiate between logging in with just
username+password).
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20130124/cd6eb812/attachment.sig>
More information about the infrastructure
mailing list