IPA/IDM Identity Management - 2FA or 2 Factor Authentication
Based on my many many years of IT experience, I'd estimate that most enterprises, domains and other applications and services do NOT take advantage of multi-factor Authentication - for most one-factor or single-factor authentication (1FA) seemed adequate and is the easiest for the end-user.
As a reminder, authentication is something you know that is associated with your identity. Identity is who you are or what you are, and authentication is proving who or what you are. That is most often accomplished by associating an identity with a secret that only the person (identity) knows such as a password.
Before we go any further though, let's take a look at a few authentication schemes:
0FA: Zero-factor authentication is something you and everyone else (potentially) knows - and that is your identity. An example might be a linux system that does not have a root password set. Or even a system with a root or admin password that still has the factory default root or admin password. Don't do this!
1FA: Single-factor authentication is who you are (identity) + something you know such as a password. Certainly a big improvement over 0FA. An example of 1FA would be: my username + my password. And hopefully the password is not shared. Don't share passwords!
2FA: 2-Factor authentication is who you are + something you know + something you have. Something you have could be a RSA Token or in the case of IPA/IDM could be hardware like a programmable Yubikey or through an application such as FreeOTP Authenticator - check your vendor for all available options.
Regardless though of what is used for "something you have" - hardware or software tokens - they all perform the same purpose: To generate a one-time password or OTP.
Below are (2) examples of an OTP using a RSA key and FreeOTP (smartphone based).
Notice above that the OTP in both cases is a random string of 6 numbers, which is a typical OTP.
OTP's can be time based or request based. In the case of time based the OTP's are constantly generated but have a TTL; while Request based OTP's are generated on request.
IPA/IDM uses Gnome Keyring to manage the usernames + password + OTP; which means for the most part implementing 2FA on IPA/IDM is a straightforward process and will likely be a completely web based configuration process. There are a few minor exceptions such as Yurikey which has to be added using command line interface (CLI).
And in case you're wondering, YES the OTP device or application has to be synchronized with user accounts. The exact method of synchronization will vary depending on the token type selected, but often a QR code can be used to configure the token
QR Code:
In addition, IPA/IDM can use multiple token types, so that administrators are not limited to a single token type.
I won't go into this in great detail other than to say that IPA/IDM supports OTP's generated with the two (2) following algorithms:
- The HMAC-Based One-Time Password (HOTP) algorithm is based on a counter. HMAC stands for Hashed Message Authentication Code.
- The Time-Based One-Time Password (TOTP) algorithm is an extension of HOTP to support time-based moving factor.
Now let's take a look an example of logging into a workstation using 2FA:
In the above screen capture, a user would enter the following:
1. Their username
2. Their password
3. OTP
As noted above, the OTP would be either request based (on demand) or time based in which case the user would refer to their token for the current OTP.
Bottomline: If your information is worth protecting, step-up to 2FA now. It's never been easier or cheaper!
No comments:
Post a Comment