On Thu, Jan 24, 2013 at 09:07:44AM -0700, Kevin Fenzi wrote: > Patrick has written up a proposal to use openid's two factor auth with > our various apps and fas: > > https://fedoraproject.org/wiki/User:Puiterwijk/2factor_policy_proposal > > Feedback welcome. ;) > Gave him some feedback on IRC. Will summarize here: * After those are done, add googleauth provisioning to FAS so we can treat it the same as yubikey provisioning * Should the checkbox to enable 2fa not be able to be turned off? If you type in your password and 2fa, perhaps it should be able to be turned off. * I know that implementing 2fa to log into fas will cause a lot of breakage that we'll have to fix before we deploy: - session cookie for fas would have to change so you don't have SSO between FAS and other apps. - python-fedora api would need to be modified so it can log into fas. - web apps would need to be modified so they could log into fas with/without 2fa - Note: Openid doesn't work for most of our web apps because we need group information and openid doesn't provide that. - Why do we want to have a second page to type in the otp instead of a single page? Single page makes logging in programmatically easier I think. We could think these scenarios through and come up with a more detailed plan of action (Maybe there's an openid group extension that we could implement, for instance). Here's an alternative, though: - Instead of protecting FAS login, protect changing of the authentication information stored in FAS. We already require you to type in your password when changing your password. Let's change that to this: + If you want to change your passwword, yubikey, googleauth, or security question/answer, you need to type in your password and either a yubikey or googleauth otp. + If you are enrolling your first password (account creation only -- not currently how we do it; we currently set up an initial password that the user then has to change) you would not be required to type in a previous password/otp + If you are adding your first second factor (ex: yubikey without either yubikey or googleauth already setup) then you do not need to type in a second factor, just your password. Adding a second 2fa would require typing in your previous 2fa, though (ie: if you already have yubikey and you add googleauth) Another alternative would be to turn on 2fa for other web apps that use SSO with FAS. That would make coding around the session cookie disappear. python-fedora would still need some modification to handle logging in slightly differently (It would need to prefer the session cookie over a username + password if an otp was given as the otp wouldn't be good for subsequent attempts. Probably want to add a new otp parameter to logging in via python-fedora to differentiate between logging in with just username+password). -Toshio
Attachment:
pgp_WmSQmwN5d.pgp
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
