mNo edit summary |
(Deferred on Feb 06 FESCo meeting) |
||
(2 intermediate revisions by the same user not shown) | |||
Line 85: | Line 85: | ||
* See [[Talk:Features/EnterpriseTwoFactorAuthentication]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --> | * See [[Talk:Features/EnterpriseTwoFactorAuthentication]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --> | ||
[[Category: | [[Category:FeaturePageIncomplete]] | ||
<!-- When your feature page is completed and ready for review --> | <!-- When your feature page is completed and ready for review --> | ||
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --> | <!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --> | ||
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--> | <!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--> | ||
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --> | <!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --> |
Latest revision as of 13:52, 8 February 2013
Enterprise / distributed two-factor authentication
Summary
Provide a flexible solution for two-factor authentication on a distributed basis, suitable for enterprise and SSO.
Owner
- Name: Daniel Pocock
- Email: daniel@pocock.com.au
Current status
- Targeted release: Fedora 19
- Last updated: 2013-01-28
- Percentage of completion: 80%
Detailed Description
Most OTP solutions for two-factor authentication require some kind of storage backend for counters or other volatile data. Early implementations work with flat files on a single host. dynalogin was created to bring stability and flexibility, storing counters in just about any type of database. Other solutions such as totp-cgi have similar goals (although it only mentions Postgres support, whereas dynalogin can use MySQL thanks to UNIXODBC). dynalogin has been successfully integrated with the SimpleID provider for OpenID authentication.
Benefit to Fedora
Users will have a self contained solution for two-factor authentication without relying on external parties such as RSA.
Scope
Adding dynalogin and SimpleID packages. Additional upstream development work on dynalogin to interface with LDAP, PAM and maybe RADIUS.
How To Test
Ideally, testing will be done with a real token (maybe a dynalogin soft-token on Android). There is also a command line token simulator utility that can be used in testing.
Testing should demonstrate that
- an authorised user can log in to more than one service on more than one host,
- that the HOTP algorithm counter is correctly maintained no matter which host the user logs in to,
- it should work with the popular soft tokens
dynalogin' and
Google Authenticator' for Android - it should be possible to block an account and the user will immediately be denied any further login (until unblocked)
User Experience
The end user can conveniently use common soft tokens like dynalogin' and
Google Authenticator' for Android
Dependencies
- SimpleID and dynalogin do not depend on each other, but they do work well together.
- dynalogin depends on the oath-toolkit
Contingency Plan
These are new packages and have no impact on unrelated packages or the system as a whole if they are not ready on time.
Documentation
- http://www.dynalogin.org
- http://www.simpleid.org
- http://packages.debian.org/sid/dynalogin-server (also in Debian)
Release Notes
- Better support for distributed two-factor authentication and Single-Sign-On (SSO) using dynalogin and SimpleID