[Freeipa-users] OTP token policies.

[Peter Bisroev]

Dear Developers,

Firstly, thank you for a fantastic product. I have a few questions relating
to OTP that I could not find the answers to in the Red Hat IdM manual,
http://www.freeipa.org/page/V4/OTP document, and on both user and devel
mailing lists. Hopefully I have not missed anything obvious :)

With FreeIPA version 4.2, is it possible to enforce policies on what
administrators and/or users can do with OTP tokens? For example:

1) Is there a way to enforce how many tokens can be active for a user at
the same time?

2) Is it possible to force the number of digits to be eight and a specific
algorithm to be used?

3) Is it possible to force the user to create a new OTP token after the
first password change?

If there is such support, it can be used to overcome the soft OTP token
enrollment bootstrap issue. For example, currently, if the administrator
creates a new user and enables "Two factor authentication (password + OTP)"
but does not assign an OTP token, the user is able to login, change the
password and continue using the new password without enabling 2FA
indefinitely.

However, once the OTP token is created, either by administrator or the
user, the systems forces the token's use from this point on. Maybe in the
future, FreeIPA can force the user to enable OTP at first login into the
FreeIPA console? But I guess then, the system must somehow stop the users
from login in into any other service besides FreeIPA web console, until the
OTP token is generated.

A few more questions:

Would it be possible to describe a use case when having multiple OTP tokens
enabled at the same time is a requirement?

How does TOTP token synchronization work? Can it be disabled?

Thank you for your time and help!

Regards,
--peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160503/9611fca4/attachment.htm>