Many vendors including Microsoft or Google support U2F based two factor authentication. The core idea of the approach is: have one device that can be used in multiple different environments. By binding a device to environment a derived key is created that is associated with this specific environment. Thus one device owned by a user can be used across multiple completely unrelated identity services.
This ticket is about the FreeIPA/server part of the story. SSSD ticket is https://fedorahosted.org/sssd/ticket/3289.
Metadata Update from @mkosek: - Issue assigned to someone - Issue set to the milestone: Future Releases
Any news here?
Not yet.
We are still at a stage when work on https://tools.ietf.org/html/draft-ietf-kitten-krb-spake-preauth-06 needs to be completed first, then extended to cover 2FA variants, then have channel bindings work completed and U2F part plugged into all that.
After the basics are ready, we'll need to create a way to map U2F token details to a particular principal (user) on FreeIPA side and thus make it usable. It is a bit easier than the first part.
I might be completely wrong on this, though, @rharwood would have the definitive knowledge.
Metadata Update from @abbra: - Issue close_status updated to: None
There are two cases to consider here - one where the user account is stored in IPA, and one where it's in a foreign-but-trusted realm. @abbra gave an outline of the first part (though I don't think channel bindings are needed), but I want to elaborate on the second case. This is a workflow that we're tentatively calling "step-up", but I really should find a better name for (because making puns about it requires actually watching some of the Step Up movies...)
The idea is that a user would kinit as normal in the foreign realm, and then acquire a normal, cross-realm TGT in the IPA realm. From there, they run a command which prompts for additional 2FA information which is added to their TGT. (Technically, the cross-realm TGT is reissued with additional auth indicators for the 2FA types, but that's not important to the workflow.) For that to happen, the following things are missing:
So not coming tomorrow, sorry. But I'm working on it. Please say the word if that doesn't make sense :)
sounds good!
we need to re-jargonize here, though: U2F is now the bad and old, webauthn is the shiny and new.
It's unclear that webauthn is the actual protocol that will be spoken on the wire - it's very tied to a browser-centric workflow, which isn't what we're doing here. It uses FIDO2 under the hood anyway.
well, they're sometimes referred to as 'fido2 U2F' and 'fido2 webauthn', so I guess we could just say fido2 and be safe for sure :)
To be clear, WebAuthn would be the Ipsilon part (https://pagure.io/ipsilon/issue/315), while FIDO2 would be the FreeIPA part. :)
Login to comment on this ticket.