Second Factors

Two-Factor Authentication (as known as 2FA) is a kind (subset) of multi-factor authentication. It is a method to confirm a user's claimed identity by using a combination of two different factors between:

something they know (login / password, …)
something they have (U2F Key, smartphone, …)
something they are (biometrics like fingerprints, ...)

Since 2.0, LLNG provides some second factor plugins that can be used to complete authentication module with 2FA :

U2F tokens
TOTP (to use with FreeOTP, Google-Authenticator,…)
U2F-or-TOTP (enable both U2F and TOTP)
Yubikey tokens provide by Yubico
REST (Remote REST app)
External 2F (to call an external command)

If you want to force a 2F registration on first login, you can use “Require 2FA”. You can also use a rule to force 2FA registration only for some users.

Providing tokens from an external source

If you don't want to use self-registration features for U2F, TOTP and so on, you can set tokens by yourself (in your LDAP server for example) and map it to _2fDevices attribute. _2fDevices is a JSON array that contains token descriptions :

[ {"type" : "TOTP", "name" : "MyTOTP", …}, {<other_token>}, …]

U2F Tokens

{"name" : "MyU2FKey" , "type" : "U2F" , "_userKey" : "########" , "_keyHandle":"########" , "epoch":"1524078936"}

TOTP Tokens

{"name" : "MyTOTP" , "type" : "TOTP" , "_secret" : "########" , "epoch" : "1523817955"}

Yubikey Tokens

{"name" : "MyYubikey" , "type" : "UBK" , "_yubikey" : "########" , "epoch" : "1523817715"}

Developer corner

To develop a new 2FA plugin, read Lemonldap::NG::Portal::Main::SecondFactor (3pm) manpage. Your 2F module must be a Perl class named Lemonldap::NG::Portal::2F::<custom_name>. To enable it, set available2F key in your lemonldap-ng.ini file :

[portal]
available2F = U2F,TOTP,<custom_name>

To enable manager Second Factor Administration Module, set enabledModules key in your lemonldap-ng.ini file :

[portal]
enabledModules = conf, sessions, notifications, 2ndFA