#7412 ipa otptoken-del should verify that user has access to another token
Opened 2 years ago by cheimes. Modified 2 years ago

The issue is related to #7012. When 2FA is required, ipa otptoken-del doesn't let the user delete the last active OTP token. It's a fail safe to prevent account lock out. OTP tokens are considered active when they are not disabled and are still valid (not before / not after). However FreeIPA does not validate that an user has still access to an OTP.

Scenario

A user has two token. The token securid is a physical hardware token. The second token freeotp is stored in FreeOTP Android app on a smart phone. Both tokens are neither disabled nor expired and therefore considered active.

The user has lost his securid token somewhere during lunch break. Since it might be compromised, he uses an existing Kerberos TGT to delete the token ipa otptoken-del securid. After all he has a backup OTP on his mobile phone. FreeIPA lets him delete the token because freeotp exists.

At that point, neither the user nor freeIPA are aware, that the user has lost access to the freeotp token. Perhaps he deleted the app or migrated to a new phone. Since securid has been deleted and freeotp is no longer accessible, the user has locked himself out of freeIPA.

Proposal

Before deleting an OTP, the user must proof that he is able to access any of the remaining OTP token generators. ipa otptoken-del should require a valid OTP value from another of the remaining, active OTP tokens. The cryptsetup luksKillSlot command behaves similar.

It may be a good idea to have a --force option or something similar that allows a user to delete his last token any way in case of a compromise.


The issue with deleting the last otp token is the following:
when a user is configured for OTP only but does not have any OTP token, then he can authenticate with his password even though password auth mech is not selected.
So if we allow a "force delete" flag, the user will be able to end up without any OTP token and authenticate with password only, which may be less secure than what the admin requests (if he wants to enforce OTP for instance).

Metadata Update from @rcritten:
- Issue priority set to: normal
- Issue set to the milestone: FreeIPA 4.8

2 years ago

Login to comment on this ticket.

Metadata