[Freeipa-users] OTP token policies.

Prashant Bapat prashant at apigee.com
Thu May 5 10:28:51 UTC 2016 

+1 For enforcing OTP in web UI.

When the user logs in for the first time he should be taken to a page to
create a OTP token. Users should be able to login only using passwd+OTP.

Are there any ideas for ensuring that all users are using OTP tokens ?

On 4 May 2016 at 05:12, Peter Bisroev <peter at int19h.net> wrote:

> Dear Developers,
>
> Firstly, thank you for a fantastic product. I have a few questions
> relating to OTP that I could not find the answers to in the Red Hat IdM
> manual, http://www.freeipa.org/page/V4/OTP document, and on both user and
> devel mailing lists. Hopefully I have not missed anything obvious :)
>
> With FreeIPA version 4.2, is it possible to enforce policies on what
> administrators and/or users can do with OTP tokens? For example:
>
> 1) Is there a way to enforce how many tokens can be active for a user at
> the same time?
>
> 2) Is it possible to force the number of digits to be eight and a specific
> algorithm to be used?
>
> 3) Is it possible to force the user to create a new OTP token after the
> first password change?
>
> If there is such support, it can be used to overcome the soft OTP token
> enrollment bootstrap issue. For example, currently, if the administrator
> creates a new user and enables "Two factor authentication (password + OTP)"
> but does not assign an OTP token, the user is able to login, change the
> password and continue using the new password without enabling 2FA
> indefinitely.
>
> However, once the OTP token is created, either by administrator or the
> user, the systems forces the token's use from this point on. Maybe in the
> future, FreeIPA can force the user to enable OTP at first login into the
> FreeIPA console? But I guess then, the system must somehow stop the users
> from login in into any other service besides FreeIPA web console, until the
> OTP token is generated.
>
> A few more questions:
>
> Would it be possible to describe a use case when having multiple OTP
> tokens enabled at the same time is a requirement?
>
> How does TOTP token synchronization work? Can it be disabled?
>
> Thank you for your time and help!
>
> Regards,
> --peter
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160505/77dd27ef/attachment.htm>

More information about the Freeipa-users mailing list