Hi Florian,
We're in the process of trialling two-factor authentication for some of our
services - we're mostly using hardware tokens but we also support software
tokens like Google Authenticator - it's all relatively straightforward.
We have multiple routes for validating a one time password, including using
CoSign to allow a webapp to request OTP as an additional factor, as you
describe (i.e. something like "CosignRequreFactor OTP" on the webapp side)
The drawback you describe doesn't occur if you configure the OTP factor as
secondary (option '-2' in cosign.conf):
* If the user is authenticating to a non-OTP service they'll not be required
to submit an OTP.
* If the user later visits a service that does require OTP, the user will be
shown the login page with the OTP field visible, and will only be required to
satisfy *that* factor (since the primary factor is already provided).
* If the user hasn't already authenticated for their primary factor (or if the
webapp has requested re-authentication) the user is prompted for both password
and OTP in one go, and the OTP validation will only be attempted if the
password validation succeeds.
* The javascript on the default template hides and shows the fields as they
are required to prevent user confusion.
One point that took us a few months to realise (and nearly cost us a lot of
money) is that many hardware tokens use the same algorithm as Google
Authenticator (i.e. HOTP/TOTP), so you may be able to buy the tokens
off-the-shelf and use the reference code on googlecode, rather than pay a
supplier lots of money for a proprietary library that does little more than the
algorithm described in RFC4226.
--
Steve Bennett, Lancaster University
From: Florian Mueller [mailto:flo2muel...@gmail.com]
Sent: 08 January 2013 12:03
To: cosign-discuss@lists.sourceforge.net
Subject: [Cosign-discuss] Conditional Factors
Hi all,
I have set up kerberos and cosign to work correctly with username and password.
Now I'd
like to setup two-factor authentication using google authenticator.
The setup should be like this:
1) User is presented a login page with just username & password on it
2) User enters correct credentials
2.1) An additional factor gets called which determines the required two-factor
method
for the user via LDAP or similar (database).
3) User is presented a login page with just the form field for auth-token.
4) User enters correct token and is authenticated.
Is it possible to achieve this? ATM I only see the possibility to enable the
two-factor
auth based on CosignRequiresFactor and the user has to post all data (user,
password, token)
inside one request, which is not handy when authentication methods may differ
between users.
Is there any way I can get something like this to work or is cosign the wrong
tool for such
a setup?
Regards,
Florian
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
