Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices.
LLNG can propose to users to register their keys. When done, 2F registered users can not login without using their key.
This feature uses Crypt::U2F::Server::Simple that is available only via CPAN for now. Before compiling it, you must install Yubico's C library headers (called libu2f-server-dev on Debian).
In the manager (second factors), you just have to enable it:
$_2fDevices =~ /“type”:\s*“U2F”/s
, else U2F will be required even if users are not registered. This is automatically done when “activation” is set to “on”.
If you have enabled self registration, users can register their U2F keys using https://portal/2fregisters
If a user lost its key, you can delete the 2F device from the manager Second Factor module :
* To enable manager Second Factor Administration Module, set enabledModules
key in your lemonldap-ng.ini
file :
[portal] enabledModules = conf, sessions, notifications, 2ndFA
If you have another U2F registration interface, you have to set these keys in Second Factor Devices array (JSON) in your user-database. Then map it to the _2fDevices attribute (see exported variables):
$_2fDevices = [{"name" : "MyU2FKey" , "type" : "U2F" , "_userKey" : "########" , "_keyHandle":"########" , "epoch":"1524078936"}, ...]
_userKey
must be base64 encoded
Note that both “origin” and “appId” are fixed to portal URL.