You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Rohit Yadav <ro...@shapeblue.com> on 2021/12/02 10:00:36 UTC
Re: [DISCUSS] 2FA framework and plugins for CloudStack
Great, thanks for the feedback Chris. I think in the first iteration the default plugin that will be shipped will be TOPT (time-based OTP) based such as what a lot of people use with Google authenticator, authy etc. Instead of a "static pin" plugin, maybe we can also do a dynamic email based OTP 2FA plugin too.
Regards.
________________________________
From: Vash_X@gmx.de <Va...@gmx.de>
Sent: Monday, November 29, 2021 17:14
To: users@cloudstack.apache.org <us...@cloudstack.apache.org>
Subject: Re: [DISCUSS] 2FA framework and plugins for CloudStack
Hi Rohit,
this sounds awesome and for me it is a absolute +1, as in my organization
this is a major concern with cloudstack atm.
Regarding the puprosed " general-purpose 2FA plugins":
I would suggest to exchange the PIN - option against another type of
factor, as as far i am aware a user genarated PIN would also "count" as a
"knowledge" factor.
Maybe one could use the already implemented functions for generating
ssh-keypairs to create kind of a "token" which a user needs to present on
login (simply saining generate an dedicated key-pair for login purposes to
the web-ui / cmk).
The admins then could choose on how to provide the token for the users or
where to store them.
Instead of using "ssh-keys" maybe a certificate / pki approach would also
be usefull, as many of using organizations have already some kind of PKI
environment running. So Admins could deploy a root-cert for the domain and
provide user-certs for authentification / validation.
Looking forward to this excitement feature!
Regards,
Chris
Am Mo., 29. Nov. 2021 um 11:49 Uhr schrieb Rohit Yadav <
rohit.yadav@shapeblue.com>:
> All,
>
> During CCC21 hackathon, I explored the feasibility of a 2FA framework and
> a TOTP (time-based OTP) plugin that can be used with Google Authenticator,
> MS Authenticator, Authy etc.
>
> I've used ideas of TOTP based 2FA PoC to put together a design doc for
> discussion:
>
> https://cwiki.apache.org/confluence/display/CLOUDSTACK/2FA+Framework+and+Plugins
>
> Kindly review and share your feedback. Thanks.
>
>
> Regards.
>
>
>
>