Two-Factor Authentication (as known as 2FA) is a kind (subset) of multi-factor authentication. It is a method to confirm a user's claimed identity by using a combination of two different factors between:
Since 2.0, LLNG provides some second factor plugins that can be used to complete authentication module with 2FA :
If you don't want to use self-registration features for U2F, TOTP and so on, you can set tokens by yourself (in your LDAP server for example) and map it to _2fDevices
attribute. _2fDevices
is a JSON array that contains token descriptions :
[ {"type" : "TOTP", "name" : "MyTOTP", …}, {<other_token>}, …]
{"name" : "MyU2FKey" , "type" : "U2F" , "_userKey" : "########" , "_keyHandle":"########" , "epoch":"1524078936"}
{"name" : "MyTOTP" , "type" : "TOTP" , "_secret" : "########" , "epoch" : "1523817955"}
{"name" : "MyYubikey" , "type" : "UBK" , "_yubikey" : "########" , "epoch" : "1523817715"}
To develop a new 2FA plugin, read Lemonldap::NG::Portal::Main::SecondFactor (3pm)
manpage. Your 2F module must be a Perl class named Lemonldap::NG::Portal::2F::<custom_name>
. To enable it, set available2F
key in your lemonldap-ng.ini
file :
[portal] available2F = U2F,TOTP,<custom_name>
To enable manager Second Factor Administration Module, set enabledModules
key in your lemonldap-ng.ini
file :
[portal] enabledModules = conf, sessions, notifications, 2ndFA