2018-04-17 10:33:26 +02:00
<!DOCTYPE html>
< html lang = "en" dir = "ltr" >
< head >
< meta charset = "utf-8" / >
< title > documentation:2.0:secondfactor< / title >
< meta name = "generator" content = "DokuWiki" / >
2018-07-14 22:23:25 +02:00
< meta name = "robots" content = "index,follow" / >
2018-04-17 10:33:26 +02:00
< meta name = "keywords" content = "documentation,2.0,secondfactor" / >
< link rel = "search" type = "application/opensearchdescription+xml" href = "lib/exe/opensearch.html" title = "LemonLDAP::NG" / >
< link rel = "start" href = "secondfactor.html" / >
< link rel = "contents" href = "secondfactor.html" title = "Sitemap" / >
< link rel = "stylesheet" type = "text/css" href = "lib/exe/css.php.t.bootstrap3.css" / >
<!-- //if:usedebianlibs
< link rel = "stylesheet" type = "text/css" href = "/javascript/bootstrap/css/bootstrap.min.css" / >
//elsif:useexternallibs
< link rel = "stylesheet" type = "text/css" href = "https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" > < / script >
//elsif:cssminified
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.min.css" / >
//else -->
< link rel = "stylesheet" type = "text/css" href = "/static/bwr/bootstrap/dist/css/bootstrap.css" / >
<!-- //endif -->
< script type = "text/javascript" > / * < ! [ C D A T A [ * / v a r N S = ' d o c u m e n t a t i o n : 2 . 0 ' ; v a r J S I N F O = { " i d " : " d o c u m e n t a t i o n : 2 . 0 : s e c o n d f a c t o r " , " n a m e s p a c e " : " d o c u m e n t a t i o n : 2 . 0 " } ;
/*!]]>*/< / script >
< script type = "text/javascript" charset = "utf-8" src = "lib/exe/js.php.t.bootstrap3.js" > < / script >
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery/jquery.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/jquery-2.2.0.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery/dist/jquery.js" > < / script >
<!-- //endif -->
<!-- //if:usedebianlibs
< script type = "text/javascript" src = "/javascript/jquery-ui/jquery-ui.min.js" > < / script >
//elsif:useexternallibs
< script type = "text/javascript" src = "http://code.jquery.com/ui/1.10.4/jquery-ui.min.js" > < / script >
//elsif:jsminified
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.min.js" > < / script >
//else -->
< script type = "text/javascript" src = "/static/bwr/jquery-ui/jquery-ui.js" > < / script >
<!-- //endif -->
< / head >
< body >
< div class = "dokuwiki export container" >
2018-04-23 14:58:36 +02:00
<!-- TOC START -->
< div id = "dw__toc" >
< h3 class = "toggle" > Table of Contents< / h3 >
< div >
2018-04-17 10:33:26 +02:00
2018-04-23 14:58:36 +02:00
< ul class = "toc" >
< li class = "level1" > < div class = "li" > < a href = "#providing_tokens_from_an_external_source" > Providing tokens from an external source< / a > < / div >
< ul class = "toc" >
< li class = "level2" > < div class = "li" > < a href = "#u2f_tokens" > U2F Tokens< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#totp_tokens" > TOTP Tokens< / a > < / div > < / li >
< li class = "level2" > < div class = "li" > < a href = "#yubikey_tokens" > Yubikey Tokens< / a > < / div > < / li >
< / ul >
< / li >
2018-06-25 23:17:51 +02:00
< li class = "level1" > < div class = "li" > < a href = "#developer_corner" > Developer corner< / a > < / div > < / li >
2018-04-23 14:58:36 +02:00
< / ul >
< / div >
< / div >
<!-- TOC END -->
< h1 class = "sectionedit1" id = "second_factors" > Second Factors< / h1 >
2018-04-17 10:33:26 +02:00
< div class = "level1" >
< p >
2018-07-14 22:23:25 +02:00
Two-Factor Authentication < em > (as known as 2FA)< / em > is a kind (subset) of < a href = "https://en.wikipedia.org/wiki/Multi-factor_authentication" class = "urlextern" title = "https://en.wikipedia.org/wiki/Multi-factor_authentication" rel = "nofollow" > multi-factor authentication< / a > . It is a method to confirm a user' s claimed identity by using a combination of two different factors between:
2018-04-17 10:33:26 +02:00
< / p >
< ol >
2018-07-14 22:23:25 +02:00
< li class = "level1" > < div class = "li" > something they know < em > (login / password, …)< / em > < / div >
2018-04-17 10:33:26 +02:00
< / li >
2018-07-14 22:23:25 +02:00
< li class = "level1" > < div class = "li" > something they have < em > (U2F Key, smartphone, …) < / em > < / div >
2018-04-23 14:58:36 +02:00
< / li >
2019-02-12 17:32:02 +01:00
< li class = "level1" > < div class = "li" > something they are < em > (biometrics like fingerprints, ...)< / em > < / div >
2018-04-17 10:33:26 +02:00
< / li >
< / ol >
< p >
2018-05-15 21:50:12 +02:00
Since 2.0, LLNG provides some second factor plugins that can be used to complete authentication module with 2FA :
2018-04-17 10:33:26 +02:00
< / p >
< ul >
< li class = "level1" > < div class = "li" > < a href = "u2f.html" class = "wikilink1" title = "documentation:2.0:u2f" > U2F tokens< / a > < / div >
< / li >
2018-07-14 22:23:25 +02:00
< li class = "level1" > < div class = "li" > < a href = "totp2f.html" class = "wikilink1" title = "documentation:2.0:totp2f" > TOTP< / a > < em > (to use with < a href = "https://freeotp.github.io/" class = "urlextern" title = "https://freeotp.github.io/" rel = "nofollow" > FreeOTP< / a > , < a href = "https://en.wikipedia.org/wiki/Google_Authenticator" class = "urlextern" title = "https://en.wikipedia.org/wiki/Google_Authenticator" rel = "nofollow" > Google-Authenticator< / a > ,…)< / em > < / div >
2018-04-17 10:33:26 +02:00
< / li >
< li class = "level1" > < div class = "li" > < a href = "utotp2f.html" class = "wikilink1" title = "documentation:2.0:utotp2f" > U2F-or-TOTP< / a > < em > (enable both U2F and TOTP)< / em > < / div >
< / li >
2018-04-23 14:58:36 +02:00
< li class = "level1" > < div class = "li" > < a href = "yubikey2f.html" class = "wikilink1" title = "documentation:2.0:yubikey2f" > Yubikey tokens< / a > < em > provide by Yubico< / em > < / div >
2018-04-17 10:33:26 +02:00
< / li >
2018-07-14 22:23:25 +02:00
< li class = "level1" > < div class = "li" > < a href = "rest2f.html" class = "wikilink1" title = "documentation:2.0:rest2f" > REST< / a > < em > (Remote REST app)< / em > < / div >
2018-04-17 10:33:26 +02:00
< / li >
2018-07-14 22:23:25 +02:00
< li class = "level1" > < div class = "li" > < a href = "external2f.html" class = "wikilink1" title = "documentation:2.0:external2f" > External 2F< / a > < em > (to call an external command)< / em > < / div >
2018-04-17 10:33:26 +02:00
< / li >
< / ul >
2018-11-26 14:15:43 +01:00
< div class = "notetip" > If you want to force a 2F registration on first login, you can use “Require 2FA”. You can also use a rule to force 2FA registration only for some users.
< / div >
2018-04-17 10:33:26 +02:00
< / div >
2018-11-26 14:15:43 +01:00
<!-- EDIT1 SECTION "Second Factors" [1 - 1165] -->
2018-04-23 14:58:36 +02:00
< h2 class = "sectionedit2" id = "providing_tokens_from_an_external_source" > Providing tokens from an external source< / h2 >
2018-04-17 10:33:26 +02:00
< div class = "level2" >
< p >
2018-04-23 14:58:36 +02:00
If you don' t want to use self-registration features for U2F, TOTP and so on, you can set tokens by yourself < em > (in your LDAP server for example)< / em > and map it to < code > _2fDevices< / code > attribute. < code > _2fDevices< / code > is a JSON array that contains token descriptions :
< / p >
< pre class = "code json" > [ {" type" : " TOTP" , " name" : " MyTOTP" , …}, {< other_token> }, …]< / pre >
< / div >
2018-11-26 14:15:43 +01:00
<!-- EDIT2 SECTION "Providing tokens from an external source" [1166 - 1559] -->
2018-04-23 14:58:36 +02:00
< h3 class = "sectionedit3" id = "u2f_tokens" > U2F Tokens< / h3 >
< div class = "level3" >
< pre class = "code json" > {" name" : " MyU2FKey" , " type" : " U2F" , " _userKey" : " ########" , " _keyHandle" :" ########" , " epoch" :" 1524078936" }< / pre >
< / div >
2018-11-26 14:15:43 +01:00
<!-- EDIT3 SECTION "U2F Tokens" [1560 - 1717] -->
2018-04-23 14:58:36 +02:00
< h3 class = "sectionedit4" id = "totp_tokens" > TOTP Tokens< / h3 >
< div class = "level3" >
< pre class = "code json" > {" name" : " MyTOTP" , " type" : " TOTP" , " _secret" : " ########" , " epoch" : " 1523817955" }< / pre >
< / div >
2018-11-26 14:15:43 +01:00
<!-- EDIT4 SECTION "TOTP Tokens" [1718 - 1850] -->
2018-04-23 14:58:36 +02:00
< h3 class = "sectionedit5" id = "yubikey_tokens" > Yubikey Tokens< / h3 >
< div class = "level3" >
< pre class = "code json" > {" name" : " MyYubikey" , " type" : " UBK" , " _yubikey" : " ########" , " epoch" : " 1523817715" }< / pre >
< / div >
2018-11-26 14:15:43 +01:00
<!-- EDIT5 SECTION "Yubikey Tokens" [1851 - 1989] -->
2018-06-25 23:17:51 +02:00
< h2 class = "sectionedit6" id = "developer_corner" > Developer corner< / h2 >
2018-04-23 14:58:36 +02:00
< div class = "level2" >
< p >
2018-06-25 23:17:51 +02:00
To develop a new 2FA plugin, read < code > Lemonldap::NG::Portal::Main::SecondFactor (3pm)< / code > manpage. Your 2F module must be a Perl class named < code > Lemonldap::NG::Portal::2F::< em > < custom_name> < / em > < / code > . To enable it, set < code > available2F< / code > key in your < code > lemonldap-ng.ini< / code > file :
2018-04-17 10:33:26 +02:00
< / p >
< pre class = "code ini" > < span class = "re0" > < span class = "br0" > [ < / span > portal< span class = "br0" > ] < / span > < / span >
< span class = "re1" > available2F< / span > < span class = "sy0" > =< / span > < span class = "re2" > U2F,TOTP,< custom_name> < / span > < / pre >
2018-04-23 14:58:36 +02:00
< p >
To enable manager Second Factor Administration Module, set < code > enabledModules< / code > key in your < code > lemonldap-ng.ini< / code > file :
< / p >
< pre class = "code ini" > < span class = "re0" > < span class = "br0" > [ < / span > portal< span class = "br0" > ] < / span > < / span >
< span class = "re1" > enabledModules< / span > < span class = "sy0" > =< / span > < span class = "re2" > conf, sessions, notifications, 2ndFA< / span > < / pre >
2018-04-17 10:33:26 +02:00
< / div >
2018-11-26 14:15:43 +01:00
<!-- EDIT6 SECTION "Developer corner" [1990 - ] --> < / div >
2018-04-17 10:33:26 +02:00
< / body >
< / html >