![]() ![]()
Many administrators will be migrating from a proprietary OTP solution to the FreeIPA integrated OTP support. RED HAT IDM ONEWAYSYNC PASSWORDThe general process for this is that the user must enter his or her password and two token codes in a row. This should be possible on both the UI, via a helpful link on the login page, and the CLI, without having to log in via Kerberos. This should be possible regardless of what type of token it is and whether or not the user has the ability to modify the token. If a token goes out of sync, the user should be able to re-synchronize it. Programming of hardware tokens will be CLI-only due to browser limitations. RED HAT IDM ONEWAYSYNC SOFTWAREThese devices are exactly like the programmable hardware tokens specified in the previous use case and all the above criteria apply except that they must be created and managed by the user like software tokens. One alternative to this scenario is the use of BYOD programmable hardware tokens. Attempts to delete or deactivate the last active token should fail (active means not disabled and within the specified validity time window). Users should be able to create, edit or delete any of these tokens so long as at least one active token remains. ![]() RED HAT IDM ONEWAYSYNC FULLThe user should retain full control of the token details, including most metadata fields. After the first token is created, subsequent logins require both password and a token code. Upon login, the user is able to create software tokens in either the UI or CLI and provision them on a smartphone or tablet using a QR code. The user is able to log in with just the standard pre-defined password. This may or may not require per-user assignment after the import is complete.Īn administrator enables token support for a user (or globally) but does not create any software tokens. The administrator should be able to execute a server-side command (CLI-only not generally available to regular users) to import all of these tokens in a single pass. ![]() The non-programmable token vendor will provide a digital record of the tokens' secrets and metadata (usually in an RFC 6030 XML file). Hence, no modifications should be permitted. While the user can view this token, he or she does not manage it. RED HAT IDM ONEWAYSYNC CODESo on the first login, both password and a token code are required. These hardware tokens work right away - no user configuration is required. An administrator enables token support for a user (or globally) and adds hardware token(s) to the user's account. Both types are often purchased by an administrator in bulk and then assigned to a user. Two types of hardware tokens exist: programmable and non-programmable. ![]() This provides a path for gradual migration.Īll tokens used with FreeIPA native OTP support must implement either HOTP (counter-based RFC 4226) or TOTP (time-based RFC 6238). Since nearly every proprietary technology supports the RADIUS authentication protocol, we provide a way to proxy OTP requests to their proprietary RADIUS servers. One unique challenge of this project is to provide a mechanism to permit gradual migrations from proprietary technologies to their related open standards. This project adds support for these standard OTP mechanisms to FreeIPA. This technique began in the proprietary space, but over time some open standards emerged (HOTP: RFC 4226, TOTP: RFC 6238). One of the more popular options is to use one-time passwords (OTP). One of the best ways to increase authentication security is to require two factor authentication (2FA).
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |