Second Factors

Two-Factor Authentication (as known as 2FA) is a kind (subset) of multi-factor authentication. It is a method to confirm a user's claimed identity by using a combination of two different factors :

1. something they know (login / password, …),
2. something they have (U2F Key, smartphone, …) or
3. something they are (biometrics like fingerprints, …).

Since 2.0, LL-NG provides some second factor plugins that can be used to complete authentication module with 2FA :

• U2F tokens
• TOTP (to use with FreeOTP, ||https://en.wikipedia.org/wiki/Google_Authenticator|Google-Authenticator]],…)
• U2F-or-TOTP (enable both U2F and TOTP)
• Yubikey tokens provide by Yubico
• REST (to call an external command)
• External 2F (Remote REST app)

If you don't want to use self-registration features for U2F, TOTP and so on, you can set tokens by yourself (in your LDAP server for example) and map it to _2fDevices attribute. _2fDevices is a JSON array that contains token descriptions :

[ {"type" : "TOTP", "name" : "MyTOTP", …}, {<other_token>}, …]

{"name" : "MyU2FKey" , "type" : "U2F" , "_userKey" : "########" , "_keyHandle":"########" , "epoch":"1524078936"}

{"name" : "MyTOTP" , "type" : "TOTP" , "_secret" : "########" , "epoch" : "1523817955"}

{"name" : "MyYubikey" , "type" : "UBK" , "_yubikey" : "########" , "epoch" : "1523817715"}

To developpe a new 2FA plugin, read Lemonldap::NG::Portal::Main::SecondFactor (3pm) manpage. Your 2F module must be a Perl class named Lemonldap::NG::Portal::2F::<custom_name>. To enable it, set available2F key in your lemonldap-ng.ini file :

[portal]
available2F = U2F,TOTP,<custom_name>

To enable manager Second Factor Administration Module, set enabledModules key in your lemonldap-ng.ini file :

[portal]
enabledModules = conf, sessions, notifications, 2ndFA