Hi Steve
Yes, I did configured the factor as secondary (-2) but the problem was that
I didn't know how to enable factors only for specific users instead of
services. In our environment the user should be able to decide whether he
wants to use Google Authenticator or not.
But in the meantime I solved it by enabling the factor in all services and
query some database inside the factor which determines whether the user
enabled second factor and return OK when he didn't. This is not the best
solution, which would be some script which decides which factors are
required by the user. This script would sit between kerberos auth and the
other factors.
Florian
On 10 January 2013 16:49, Bennett, Steve <s.benn...@lancaster.ac.uk> wrote:
> Hi Florian,****
>
> ** **
>
> We’re in the process of trialling two-factor authentication for some of
> our services – we’re mostly using hardware tokens but we also support
> software tokens like Google Authenticator – it’s all relatively
> straightforward.****
>
> ** **
>
> We have multiple routes for validating a one time password, including
> using CoSign to allow a webapp to request OTP as an additional factor, as
> you describe (i.e. something like “CosignRequreFactor OTP” on the webapp
> side)****
>
> ** **
>
> The drawback you describe doesn’t occur if you configure the OTP factor as
> secondary (option ‘-2’ in cosign.conf):****
>
> * If the user is authenticating to a non-OTP service they’ll not be
> required to submit an OTP.****
>
> * If the user later visits a service that does require OTP, the user will
> be shown the login page with the OTP field visible, and will only be
> required to satisfy **that** factor (since the primary factor is already
> provided).****
>
> * If the user hasn’t already authenticated for their primary factor (or
> if the webapp has requested re-authentication) the user is prompted for
> both password and OTP in one go, and the OTP validation will only be
> attempted if the password validation succeeds.****
>
> * The javascript on the default template hides and shows the fields as
> they are required to prevent user confusion.****
>
> ** **
>
> One point that took us a few months to realise (and nearly cost us a lot
> of money) is that many hardware tokens use the same algorithm as Google
> Authenticator (i.e. HOTP/TOTP), so you may be able to buy the tokens
> off-the-shelf and use the reference code on googlecode, rather than pay a
> supplier lots of money for a proprietary library that does little more than
> the algorithm described in RFC4226.****
>
> ** **
>
> --****
>
> Steve Bennett, Lancaster University****
>
> ** **
>
> *From:* Florian Mueller [mailto:flo2muel...@gmail.com]
> *Sent:* 08 January 2013 12:03
> *To:* cosign-discuss@lists.sourceforge.net
> *Subject:* [Cosign-discuss] Conditional Factors****
>
> ** **
>
> Hi all,****
>
> ** **
>
> I have set up kerberos and cosign to work correctly with username and
> password. Now I'd****
>
> like to setup two-factor authentication using google authenticator.****
>
> ** **
>
> The setup should be like this:****
>
> ** **
>
> 1) User is presented a login page with just username & password on it****
>
> 2) User enters correct credentials****
>
> 2.1) An additional factor gets called which determines the required
> two-factor method****
>
> for the user via LDAP or similar (database).****
>
> 3) User is presented a login page with just the form field for auth-token.
> ****
>
> 4) User enters correct token and is authenticated.****
>
> ** **
>
> Is it possible to achieve this? ATM I only see the possibility to enable
> the two-factor****
>
> auth based on CosignRequiresFactor and the user has to post all data
> (user, password, token)****
>
> inside one request, which is not handy when authentication methods may
> differ between users.****
>
> ** **
>
> Is there any way I can get something like this to work or is cosign the
> wrong tool for such****
>
> a setup?****
>
> ** **
>
> Regards,****
>
> Florian****
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122712
> _______________________________________________
> Cosign-discuss mailing list
> Cosign-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/cosign-discuss
>
>
------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnnow-d2d
_______________________________________________
Cosign-discuss mailing list
Cosign-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/cosign-discuss
