Support Time-Based One-Time Password (TOTP) Authentication as a distinct authentication mechanism. From Wikipedia:
Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time. It has been adopted as Internet Engineering Task Force standard RFC 6238, is the cornerstone of Initiative For Open Authentication (OATH), and is used in a number of two-factor authentication systems.
The algorithm proposed is used by Google to provide a “possession factor” as part of their approach to multi-factor authentication (Gmail, Google Authenticator). The same would apply to Keystone.
Keystone does not have formal support for multi-factor authentication, nor do we formally support additional authentication factors beyond “knowledge factors” (something you know, such as a password). In order to provide stronger authentication, we must first support a second factor, such as a “possession factor” (something you have, such as a one-time password generating device) or an “inherence factor” (something associated with the user, such as a fingerprint). This spec proposes to provide a “possession factor” as a prerequisite to true multi-factor authentication.
In order to support multiple factors, a deployer will need to continue to support both the existing password mechanism (for example) in addition to the TOTP mechanism. In order to be able to distinguish which to use in a given authentication request, TOTP needs to be a distinct authentication plugin.
Add a totp` auth method.
Example request that uses only the totp authentication plugin (this is not particularly useful by itself in the real world, but illustrates that the totp plugin is not treated any differently when compared to existing plugins):
{
"auth": {
"identity": {
"methods": [
"totp"
],
"totp": {
"user": {
"id": "b95b78b67fa045b38104c12fb2729cd0",
"passcode": "012345"
}
}
},
"scope": {
"project": {
"id": "9c1c4b2657a04f7fbd46237835a43f59"
}
}
}
}
Example request that uses both totp and the existing password plugin:
{
"auth": {
"identity": {
"methods": [
"password", "totp"
],
"password": {
"user": {
"id": "b95b78b67fa045b38104c12fb2729cd0",
"password": "password"
}
},
"totp": {
"user": {
"id": "b95b78b67fa045b38104c12fb2729cd0",
"passcode": "012345"
}
}
},
"scope": {
"project": {
"id": "9c1c4b2657a04f7fbd46237835a43f59"
}
}
}
}
Example request that uses both the token and the totp authentication method:
{
"auth": {
"identity": {
"methods": [
"token", "totp"
],
"token": {
"id": "'$OS_TOKEN'",
},
"totp": {
"user": {
"id": "b95b78b67fa045b38104c12fb2729cd0",
"passcode": "012345"
}
}
},
"scope": {
"project": {
"id": "9c1c4b2657a04f7fbd46237835a43f59"
}
}
}
}
The totp plugin can be swapped in by updating Keystone configuration. There will be multiple implementations of the TOTP plugin based on the backend used to validate.
The auth plugin will require a user to identify themselves and provide a client-generated one time password. The plugin will then verify that the one time password is valid for the user.
None
Describe any potential security impact on the system. Some of the items to consider include:
None
None
None
The OTP driver should be specified in the Keystone configuration file.
This change would add a new, optional authentication plugin for TOTP that is not enabled by default.
Example pseudo-configuration in keystone.conf:
[auth]
methods = password, totp
totp = pkg.path.mfa.Totp
None
None
None