#3289 [RFE] Support U2F authentication workflow

Created 6 months ago by mkosek
Modified 5 months ago

Background

Many vendors including Microsoft or Google support U2F based two factor authentication. The core idea of the approach is: have one device that can be used in multiple different environments. By binding a device to environment a derived key is created that is associated with this specific environment. Thus one device owned by a user can be used across multiple completely unrelated identity services.

Resources

Proposed user stories

  • As a Consumer of the Azure and Azure Active Directory (AAD) services where my accounts are stored I can login into a Windows 10 systems running in Azure using a U2F enabled device. I want to be able to log into a Linux (Fedora, RHEL, CentOS) system running in the Azure cloud using same device and utilizing my accounts in AAD.
  • As small startup I want to use IdM for management of my Linux systems and resources. For security purposes I prefer to use 2FA authentication into my Linux systems. I already have U2F token that I use for personal use and I want to reuse with my account in IdM.
  • As an owner of a modern Windows client system (v 10+) that is joined to Azure AD I want to be able to use my U2F device that is bound to an account in IdM that is in a trusted domain with AAD

Ticket information

This ticket is about the SSSD/client part of the story. FreeIPA ticket is https://fedorahosted.org/freeipa/ticket/6632.

Fields changed

description: === Background ===
Many vendors including Microsoft or Google support U2F based two factor authentication. The core idea of the approach is: have one device that can be used in multiple different environments. By binding a device to environment a derived key is created that is associated with this specific environment. Thus one device owned by a user can be used across multiple completely unrelated identity services.

=== Resources ===
U2F: https://en.wikipedia.org/wiki/Universal_2nd_Factor
FIDO: https://fidoalliance.org/
* Interesting security related discussion: http://security.stackexchange.com/questions/71316/how-secure-are-the-fido-u2f-tokens

=== Proposed user stories ===
As a Consumer of the Azure and Azure Active Directory (AAD) services where my accounts are stored I can login into a Windows 10 systems running in Azure using a U2F enabled device. I want to be able to log into a Linux (Fedora, RHEL, CentOS) system running in the Azure cloud using same device and utilizing my accounts in AAD.
As small startup I want to use IdM for management of my Linux systems and resources. For security purposes I prefer to use 2FA authentication into my Linux systems. I already have U2F token that I use for personal use and I want to reuse with my account in IdM.
* As an owner of a modern Windows client system (v 10+) that is joined to Azure AD I want to be able to use my U2F device that is bound to an account in IdM that is in a trusted domain with AAD

=== Ticket information ===
This ticket is about the SSSD part of the story. FreeIPA ticket is TODO. => === Background ===
Many vendors including Microsoft or Google support U2F based two factor authentication. The core idea of the approach is: have one device that can be used in multiple different environments. By binding a device to environment a derived key is created that is associated with this specific environment. Thus one device owned by a user can be used across multiple completely unrelated identity services.

=== Resources ===
U2F: https://en.wikipedia.org/wiki/Universal_2nd_Factor
FIDO: https://fidoalliance.org/
* Interesting security related discussion: http://security.stackexchange.com/questions/71316/how-secure-are-the-fido-u2f-tokens

=== Proposed user stories ===
As a Consumer of the Azure and Azure Active Directory (AAD) services where my accounts are stored I can login into a Windows 10 systems running in Azure using a U2F enabled device. I want to be able to log into a Linux (Fedora, RHEL, CentOS) system running in the Azure cloud using same device and utilizing my accounts in AAD.
As small startup I want to use IdM for management of my Linux systems and resources. For security purposes I prefer to use 2FA authentication into my Linux systems. I already have U2F token that I use for personal use and I want to reuse with my account in IdM.
* As an owner of a modern Windows client system (v 10+) that is joined to Azure AD I want to be able to use my U2F device that is bound to an account in IdM that is in a trusted domain with AAD

=== Ticket information ===
This ticket is about the SSSD/client part of the story. FreeIPA ticket is https://fedorahosted.org/freeipa/ticket/6632.

Fields changed

milestone: NEEDS_TRIAGE => SSSD Future releases (no date set yet)

Fields changed

rhbz: => todo

5 months ago

Metadata Update from @mkosek:
- Issue set to the milestone: SSSD Future releases (no date set yet)

Login to comment on this ticket.

enhancement

SSSD

1.15.0

0

0

todo

0

0

0

0

cancel