From Fedora Project Wiki

Enterprise / distributed two-factor authentication

Summary

Provide a flexible solution for two-factor authentication on a distributed basis, suitable for enterprise and SSO.

Owner

  • Email: daniel@pocock.com.au

Current status

  • Targeted release: Fedora 19
  • Last updated: 2013-01-28
  • Percentage of completion: 80%

Detailed Description

Most OTP solutions for two-factor authentication require some kind of storage backend for counters or other volatile data. Early implementations work with flat files on a single host. dynalogin was created to bring stability and flexibility, storing counters in just about any type of database. Other solutions such as totp-cgi have similar goals (although it only mentions Postgres support, whereas dynalogin can use MySQL thanks to UNIXODBC). dynalogin has been successfully integrated with the SimpleID provider for OpenID authentication.

Benefit to Fedora

Users will have a self contained solution for two-factor authentication without relying on external parties such as RSA.

Scope

Adding dynalogin and SimpleID packages. Additional upstream development work on dynalogin to interface with LDAP, PAM and maybe RADIUS.

How To Test

Ideally, testing will be done with a real token (maybe a dynalogin soft-token on Android). There is also a command line token simulator utility that can be used in testing.

Testing should demonstrate that

  • an authorised user can log in to more than one service on more than one host,
  • that the HOTP algorithm counter is correctly maintained no matter which host the user logs in to,
  • it should work with the popular soft tokens dynalogin' and Google Authenticator' for Android
  • it should be possible to block an account and the user will immediately be denied any further login (until unblocked)

User Experience

The end user can conveniently use common soft tokens like dynalogin' and Google Authenticator' for Android

Dependencies

  • SimpleID and dynalogin do not depend on each other, but they do work well together.
  • dynalogin depends on the oath-toolkit

Contingency Plan

These are new packages and have no impact on unrelated packages or the system as a whole if they are not ready on time.

Documentation

Release Notes

  • Better support for distributed two-factor authentication and Single-Sign-On (SSO) using dynalogin and SimpleID

Comments and Discussion