+1 For enforcing OTP in web UI. When the user logs in for the first time he should be taken to a page to create a OTP token. Users should be able to login only using passwd+OTP.
Are there any ideas for ensuring that all users are using OTP tokens ? On 4 May 2016 at 05:12, Peter Bisroev <pe...@int19h.net> wrote: > Dear Developers, > > Firstly, thank you for a fantastic product. I have a few questions > relating to OTP that I could not find the answers to in the Red Hat IdM > manual, http://www.freeipa.org/page/V4/OTP document, and on both user and > devel mailing lists. Hopefully I have not missed anything obvious :) > > With FreeIPA version 4.2, is it possible to enforce policies on what > administrators and/or users can do with OTP tokens? For example: > > 1) Is there a way to enforce how many tokens can be active for a user at > the same time? > > 2) Is it possible to force the number of digits to be eight and a specific > algorithm to be used? > > 3) Is it possible to force the user to create a new OTP token after the > first password change? > > If there is such support, it can be used to overcome the soft OTP token > enrollment bootstrap issue. For example, currently, if the administrator > creates a new user and enables "Two factor authentication (password + OTP)" > but does not assign an OTP token, the user is able to login, change the > password and continue using the new password without enabling 2FA > indefinitely. > > However, once the OTP token is created, either by administrator or the > user, the systems forces the token's use from this point on. Maybe in the > future, FreeIPA can force the user to enable OTP at first login into the > FreeIPA console? But I guess then, the system must somehow stop the users > from login in into any other service besides FreeIPA web console, until the > OTP token is generated. > > A few more questions: > > Would it be possible to describe a use case when having multiple OTP > tokens enabled at the same time is a requirement? > > How does TOTP token synchronization work? Can it be disabled? > > Thank you for your time and help! > > Regards, > --peter > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project