Features/EnterpriseTwoFactorAuthentication

From FedoraProject

< Features(Difference between revisions)
Jump to: navigation, search
(Created page with " = Enterprise / distributed two-factor authentication = == Summary == <!-- A sentence or two summarizing what this feature is and what it will do. This information is used f...")
 
(Deferred on Feb 06 FESCo meeting)
 
(3 intermediate revisions by 2 users not shown)
Line 85: Line 85:
 
* See [[Talk:Features/EnterpriseTwoFactorAuthentication]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
 
* See [[Talk:Features/EnterpriseTwoFactorAuthentication]]  <!-- This adds a link to the "discussion" tab associated with your page.  This provides the ability to have ongoing comments or conversation without bogging down the main feature page -->
  
[[Category:FeatureAnnounced]]
+
[[Category:FeaturePageIncomplete]]
 
<!-- When your feature page is completed and ready for review -->
 
<!-- When your feature page is completed and ready for review -->
 
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler -->
 
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete-->
 
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->
 
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process -->

Latest revision as of 13:52, 8 February 2013

Contents

[edit] Enterprise / distributed two-factor authentication

[edit] Summary

Provide a flexible solution for two-factor authentication on a distributed basis, suitable for enterprise and SSO.

[edit] Owner

  • Email: daniel@pocock.com.au

[edit] Current status

  • Targeted release: Fedora 19
  • Last updated: 2013-01-28
  • Percentage of completion: 80%

[edit] Detailed Description

Most OTP solutions for two-factor authentication require some kind of storage backend for counters or other volatile data. Early implementations work with flat files on a single host. dynalogin was created to bring stability and flexibility, storing counters in just about any type of database. Other solutions such as totp-cgi have similar goals (although it only mentions Postgres support, whereas dynalogin can use MySQL thanks to UNIXODBC). dynalogin has been successfully integrated with the SimpleID provider for OpenID authentication.

[edit] Benefit to Fedora

Users will have a self contained solution for two-factor authentication without relying on external parties such as RSA.

[edit] Scope

Adding dynalogin and SimpleID packages. Additional upstream development work on dynalogin to interface with LDAP, PAM and maybe RADIUS.

[edit] How To Test

Ideally, testing will be done with a real token (maybe a dynalogin soft-token on Android). There is also a command line token simulator utility that can be used in testing.

Testing should demonstrate that

  • an authorised user can log in to more than one service on more than one host,
  • that the HOTP algorithm counter is correctly maintained no matter which host the user logs in to,
  • it should work with the popular soft tokens `dynalogin' and `Google Authenticator' for Android
  • it should be possible to block an account and the user will immediately be denied any further login (until unblocked)

[edit] User Experience

The end user can conveniently use common soft tokens like `dynalogin' and `Google Authenticator' for Android

[edit] Dependencies

  • SimpleID and dynalogin do not depend on each other, but they do work well together.
  • dynalogin depends on the oath-toolkit

[edit] Contingency Plan

These are new packages and have no impact on unrelated packages or the system as a whole if they are not ready on time.

[edit] Documentation

[edit] Release Notes

  • Better support for distributed two-factor authentication and Single-Sign-On (SSO) using dynalogin and SimpleID

[edit] Comments and Discussion