Re: [Freeipa-users] OTP and time step size

2016-04-29 Thread Petr Vobornik 
On 04/29/2016 12:37 PM, Prashant Bapat wrote:
> Hi Petr,
> 
> Thanks for the response. But my question was more towards the cases where 
> there 
> is a slight delay in entering the OTP in the web UI and it reaching the IPA 
> server. This actually can happen with ANY time window.
> 
> There are couple of scenarios.
> 
> 1. Network delays.
> 2. User enters the OTP token and takes a few seconds before pressing submit.

> 3. User has to enter OTP first and then the password. This is the case when 
> changing password in IPA at the moment when OTP is on.

Actually password change scenario is:
1. oldpassword + otp
2. old password + otp2 + new password + confirm new password

> 
> Is there a way to make IPA honor either the current token (obviously!) or 1 
> elapsed token?

Actually it may be done this way, but I'm not sure.

> 
> This will go a long way in making FreeIPA's OTP implementation much more 
> usable.

Either way, as I said in the previous mail, try HOTP tokens. They don't
use time windows and therefore the above is not an issue.

> 
> Thanks.
> --Prashant
> 
> On 25 April 2016 at 21:48, Petr Vobornik  > wrote:
> 
> On 04/22/2016 08:55 AM, Prashant Bapat wrote:
> > Hi,
> >
> > We have been using the OTP feature of FreeIPA extensively for users to 
> login to
> > the web UI. Now we are rolling out an external service using the LDAP
> > authentication based on FreeIPA and OTP.
> >
> > End users typically login rarely to the web UI. Only to update their 
> SSH keys
> > once in 90 days.
> >
> > However to the new service based on FreeIPA's LDAP they would be 
> logging in
> > multiple times daily.
> >
> > Here is an observation: FreeIPA's OTP mechanism is very stringent in 
> requiring
> > the current token to be inside the 30 second window. Because of this 
> there might
> > be a sizable percentage of users who will have to retry login. 
> Obviously, this
> > is a bad user experience.
> >
>  > As per the RFC-6238  section
> 5.2, we
> > could allow 1 time step and make the user experience better.
> >
> > Can this be done by changing a config or does it involve a 
> patch/code-change.
> > Any pointers to this appreciated.
> >
> > Thanks.
> > --Prashant
> >
> 
> FreeIPA works with both time based OTP tokens(TOTP) and counter based
> OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator
> can set custom clock interval during creation of a token. But
> self-service Web UI doesn't show this option. Users can still use it in
> CLI though.
> 
> Alternative is HOTP which doesn't use time interval and there the UX
> issue is not there. It can be also created in user self service.
> --
> Petr Vobornik
> 
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] OTP and time step size

2016-04-29 Thread Prashant Bapat 
Hi Petr,

Thanks for the response. But my question was more towards the cases where
there is a slight delay in entering the OTP in the web UI and it reaching
the IPA server. This actually can happen with ANY time window.

There are couple of scenarios.

1. Network delays.
2. User enters the OTP token and takes a few seconds before pressing
submit.
3. User has to enter OTP first and then the password. This is the case when
changing password in IPA at the moment when OTP is on.

Is there a way to make IPA honor either the current token (obviously!) or 1
elapsed token?

This will go a long way in making FreeIPA's OTP implementation much more
usable.

Thanks.
--Prashant

On 25 April 2016 at 21:48, Petr Vobornik  wrote:

> On 04/22/2016 08:55 AM, Prashant Bapat wrote:
> > Hi,
> >
> > We have been using the OTP feature of FreeIPA extensively for users to
> login to
> > the web UI. Now we are rolling out an external service using the LDAP
> > authentication based on FreeIPA and OTP.
> >
> > End users typically login rarely to the web UI. Only to update their SSH
> keys
> > once in 90 days.
> >
> > However to the new service based on FreeIPA's LDAP they would be logging
> in
> > multiple times daily.
> >
> > Here is an observation: FreeIPA's OTP mechanism is very stringent in
> requiring
> > the current token to be inside the 30 second window. Because of this
> there might
> > be a sizable percentage of users who will have to retry login.
> Obviously, this
> > is a bad user experience.
> >
> > As per the RFC-6238  section
> 5.2, we
> > could allow 1 time step and make the user experience better.
> >
> > Can this be done by changing a config or does it involve a
> patch/code-change.
> > Any pointers to this appreciated.
> >
> > Thanks.
> > --Prashant
> >
>
> FreeIPA works with both time based OTP tokens(TOTP) and counter based
> OTP tokens(HOTP). TOTP uses 30s time interval by default. Administrator
> can set custom clock interval during creation of a token. But
> self-service Web UI doesn't show this option. Users can still use it in
> CLI though.
>
> Alternative is HOTP which doesn't use time interval and there the UX
> issue is not there. It can be also created in user self service.
> --
> Petr Vobornik
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

[Freeipa-users] OTP and time step size

2016-04-22 Thread Prashant Bapat 
Hi,

We have been using the OTP feature of FreeIPA extensively for users to
login to the web UI. Now we are rolling out an external service using the
LDAP authentication based on FreeIPA and OTP.

End users typically login rarely to the web UI. Only to update their SSH
keys once in 90 days.

However to the new service based on FreeIPA's LDAP they would be logging in
multiple times daily.

Here is an observation: FreeIPA's OTP mechanism is very stringent in
requiring the current token to be inside the 30 second window. Because of
this there might be a sizable percentage of users who will have to retry
login. Obviously, this is a bad user experience.

As per the RFC-6238  section 5.2,
we could allow 1 time step and make the user experience better.

Can this be done by changing a config or does it involve a
patch/code-change. Any pointers to this appreciated.

Thanks.
--Prashant
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project