2 factor auth using openid proposal

Toshio Kuratomi a.badger at gmail.com
Thu Jan 24 17:05:39 UTC 2013

On Thu, Jan 24, 2013 at 09:07:44AM -0700, Kevin Fenzi wrote:
> Patrick has written up a proposal to use openid's two factor auth with
> our various apps and fas: 
> https://fedoraproject.org/wiki/User:Puiterwijk/2factor_policy_proposal
> Feedback welcome. ;) 
Gave him some feedback on IRC.  Will summarize here:

* After those are done, add googleauth provisioning to FAS so we can treat it the
  same as yubikey provisioning
* Should the checkbox to enable 2fa not be able to be turned off?  If you
  type in your password and 2fa, perhaps it should be able to be turned off.
* I know that implementing 2fa to log into fas will cause a lot of breakage
  that we'll have to fix before we deploy:
  - session cookie for fas would have to change so you don't have SSO
    between FAS and other apps.
  - python-fedora api would need to be modified so it can log into fas.
  - web apps would need to be modified so they could log into fas
    with/without 2fa
  - Note: Openid doesn't work for most of our web apps because we need group
    information and openid doesn't provide that.
  - Why do we want to have a second page to type in the otp instead of
    a single page?  Single page makes logging in programmatically easier
    I think.

  We could think these scenarios through and come up with a more detailed
  plan  of action (Maybe there's an openid group extension that we could
  implement, for instance).

  Here's an alternative, though:

  - Instead of protecting FAS login, protect changing of the authentication
    information stored in FAS.  We already require you to type in your
    password when changing your password.  Let's change that to this:
    + If you want to change your passwword, yubikey, googleauth, or security
      question/answer, you need to type in your password and either a yubikey
      or googleauth otp.
    + If you are enrolling your first password (account creation only -- not
      currently how we do it; we currently set up an initial password that
      the user then has to change) you would not be required to type in a
      previous password/otp 
    + If you are adding your first second factor (ex: yubikey without either
      yubikey or googleauth already setup) then you do not need to type in
      a second factor, just your password.  Adding a second 2fa would
      require typing in your previous 2fa, though (ie: if you already have
      yubikey and you add googleauth)

  Another alternative would be to turn on 2fa for other web apps that use
  SSO with FAS.  That would make coding around the session cookie disappear.
  python-fedora would still need some modification to handle logging in
  slightly differently (It would need to prefer the session cookie over
  a username + password if an otp was given as the otp wouldn't be good for
  subsequent attempts.  Probably want to add a new otp parameter to logging in
  via python-fedora to differentiate between logging in with just

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20130124/cd6eb812/attachment.sig>

More information about the infrastructure mailing list