From Fedora Project Wiki
(Feature has been announced on devel-announce mailing list on 2013-01-29)
(Moved to FeatureReadyForFesco for approval (#1036))
Line 85: Line 85:
* See [[Talk:Features/EnterpriseTwoFactorAuthentication]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
* See [[Talk:Features/EnterpriseTwoFactorAuthentication]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->


[[Category:FeatureAnnounced]]
[[Category:FeatureReadyForFesco]]
<!-- When your feature page is completed and ready for review -->
<!-- When your feature page is completed and ready for review -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Revision as of 12:02, 5 February 2013

Enterprise / distributed two-factor authentication

Summary

Provide a flexible solution for two-factor authentication on a distributed basis, suitable for enterprise and SSO.

Owner

  • Email: daniel@pocock.com.au

Current status

  • Targeted release: Fedora 19
  • Last updated: 2013-01-28
  • Percentage of completion: 80%

Detailed Description

Most OTP solutions for two-factor authentication require some kind of storage backend for counters or other volatile data. Early implementations work with flat files on a single host. dynalogin was created to bring stability and flexibility, storing counters in just about any type of database. Other solutions such as totp-cgi have similar goals (although it only mentions Postgres support, whereas dynalogin can use MySQL thanks to UNIXODBC). dynalogin has been successfully integrated with the SimpleID provider for OpenID authentication.

Benefit to Fedora

Users will have a self contained solution for two-factor authentication without relying on external parties such as RSA.

Scope

Adding dynalogin and SimpleID packages. Additional upstream development work on dynalogin to interface with LDAP, PAM and maybe RADIUS.

How To Test

Ideally, testing will be done with a real token (maybe a dynalogin soft-token on Android). There is also a command line token simulator utility that can be used in testing.

Testing should demonstrate that

  • an authorised user can log in to more than one service on more than one host,
  • that the HOTP algorithm counter is correctly maintained no matter which host the user logs in to,
  • it should work with the popular soft tokens dynalogin' and Google Authenticator' for Android
  • it should be possible to block an account and the user will immediately be denied any further login (until unblocked)

User Experience

The end user can conveniently use common soft tokens like dynalogin' and Google Authenticator' for Android

Dependencies

  • SimpleID and dynalogin do not depend on each other, but they do work well together.
  • dynalogin depends on the oath-toolkit

Contingency Plan

These are new packages and have no impact on unrelated packages or the system as a whole if they are not ready on time.

Documentation

Release Notes

  • Better support for distributed two-factor authentication and Single-Sign-On (SSO) using dynalogin and SimpleID

Comments and Discussion