Requested: Several customers
The idea behind this is an emergency situation.
For example: Company XYZ will be facing an audit, so they are establishing a 2FA for all user, mandatory.
They are allowing LDAP PW, U2F and Smartphone. Now one of their users travels to a different country with no office close to his location, but he forgets the Yubikey at home.
The idea now would be a secure way to log back in and to roll out, after the VPN connection is established, a different, in this case the smartphone, second factor. A factor, lets call it for simplicity "Emergency" would be selected in the chain selection and the user would be provided with a very long alphanumeric OTP. This OTP would then have to be spelled, digit by digit, to the admin at home, who would be able to generate a counter code (basically just a telephonic challenge response), which then will allow the user to log back into his machine. The admin then goes over the rollout process with the user and he will have a working 2FA again.
Now there are certain things i would like to see for this method:
-not visible on the first sight in the chain selection (something like a link in the bottom or so)
-offline capabilities are mandatory
This method would be achievable by having a secret, like an OTP secret, distributed to the client on the first connection to the AAF server.
BR Dan
by: Daniel S. | over a year ago | Other
Comments
This is interesting. How do you believe the "secret" would be distributed? How would the user store or manage their "secret"? What happens if a user misplaces their "secret"? Troy
Hi,
distribution and storage would basically happen in the same context as with all the other HOTP secrets. The user would not have access to the secret. Basically think of it as an emergency password with offline capabilities. And the HOTP is only generated when the user clicks a certain link in the login screen to avoid the bypassing of the 2FA.
As an alternative way it could be implemented as a sort of challenge-response system like a windows phone activation. The user calls the admin, spells a "key" of some sort with which the admin could generate a response that he spells to the user.
The key could include for example a timestamp, the user (including the domain) he wants to log in and the machine name.
Please review the offline capabilities in v6.0 and ensure that this is satisfied.
Troy
Will this feature available in AAF 6.1?
Many new customers and existing customers asking for this feature.
This is not planned for any release yet. Dan or Kevin can you please call me (+1 813-505-4921) so we can discuss this in more detail? I still do not understand the whole login flow and how it would provide two-factor.
Thank You,
As I understand now the ask is for Emergency Password Offline as follows:
Emergency Password Offline
Assumption - pre-shared key assigned at initial login (stored on workstation)
Scenario - User is disconnected and cannot login due to some lack of factor (forgotten password, lost device or other)
- user phones help desk (not with the phone they are supposed to use to login I guess)
- user clicks link on CP
- a code is displayed on workstation screen
- user reads the code to help desk
- help desk personnel opens users profile and enters code at console
- a OTP is displayed on console
- help desk supplies code to user for login
Does this scenario satisfy all parties on the thread?
If so, I will take it to engineering and see when it can be scheduled.
Regards,
Hi Troy,
sounds good
BR
Kevin
In which version will be this feature available ?
This is not scheduled yet. 6.3 is the first target release where it could possibly fit.
Very much a requirement for future success