Enterprise / distributed two-factor authentication
Summary
Provide a flexible solution for two-factor authentication on a distributed basis, suitable for enterprise and SSO.
Owner
- Name: Daniel Pocock
- Email: daniel@pocock.com.au
Current status
- Targeted release: Fedora 19
- Last updated: 2013-01-28
- Percentage of completion: 80%
Detailed Description
Most OTP solutions for two-factor authentication require some kind of storage backend for counters or other volatile data. Early implementations work with flat files on a single host. dynalogin was created to bring stability and flexibility, storing counters in just about any type of database. Other solutions such as totp-cgi have similar goals (although it only mentions Postgres support, whereas dynalogin can use MySQL thanks to UNIXODBC). dynalogin has been successfully integrated with the SimpleID provider for OpenID authentication.
Benefit to Fedora
Users will have a self contained solution for two-factor authentication without relying on external parties such as RSA.
Scope
Adding dynalogin and SimpleID packages. Additional upstream development work on dynalogin to interface with LDAP, PAM and maybe RADIUS.
How To Test
Ideally, testing will be done with a real token (maybe a dynalogin soft-token on Android). There is also a command line token simulator utility that can be used in testing.
Testing should demonstrate that
- an authorised user can log in to more than one service on more than one host,
- that the HOTP algorithm counter is correctly maintained no matter which host the user logs in to,
- it should work with the popular soft tokens
dynalogin' andGoogle Authenticator' for Android - it should be possible to block an account and the user will immediately be denied any further login (until unblocked)
User Experience
The end user can conveniently use common soft tokens like dynalogin' and Google Authenticator' for Android
Dependencies
- SimpleID and dynalogin do not depend on each other, but they do work well together.
- dynalogin depends on the oath-toolkit
Contingency Plan
These are new packages and have no impact on unrelated packages or the system as a whole if they are not ready on time.
Documentation
- http://www.dynalogin.org
- http://www.simpleid.org
- http://packages.debian.org/sid/dynalogin-server (also in Debian)
Release Notes
- Better support for distributed two-factor authentication and Single-Sign-On (SSO) using dynalogin and SimpleID