Adding OTP codes to the 2FA methods

Descriptive title for this enhancement

Webauthn plugin let us add a yubikey but it would be nice if we could use also OTP because everyone not have a yubikey

Actual behavior

We only can add a yubikey for the webauth plugin

Expected behavior

Using OTP alone or with yubikey as fallback

Benefits

Using OTP if we not a yubikey

changed milestone to %FusionDirectory 1.4

added PJ1802-0188 plugin-webauthn technical discussion labels

I think that the most easy and generic way to implement it would to let the user add all the authentification method (yubikey, otp, ...).

And in the login accept any of these methods because it could be hard to prevent all the configuration (with yubikey / without yubikey, with another physical device, otp alone ...)

What do you think @bmortier ?

added 5m of time spent at 2019-12-03

It seems the correct standard for this is TOTP, described in this RFC: https://tools.ietf.org/html/rfc6238

Wikipedia page: https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm

Also interesting to read: https://blog.trailofbits.com/2019/06/20/getting-2fa-right-in-2019/ (This also concerns #6019 (closed) )

And just for the record, WebAuthn is not specific to yubikey, any 2FA device which respects the standard may be used, and there are plans for using phones for this (both android and ios plan to support this).

added 30m of time spent at 2019-12-03

https://oath-ldap.stroeder.com/ seems to have a schema for this, but I can’t find it yet…

https://github.com/Spomky-Labs/otphp looks promising after a few tests, we will also need a QR code generation library. (They recommand https://github.com/Bacon/BaconQrCode)

added 6h of time spent at 2019-12-04

mentioned in commit 717ca9a5

assigned to @MCMic and unassigned @bmortier

changed due date to December 23, 2019

removed plugin-webauthn label

removed technical discussion label

added plugin-totp label

oath-ldap schema is here: https://gitlab.com/ae-dir/ansible-ae-dir-server/blob/master/files/schema/oath-ldap.schema

But it seems overkill for our needs.

mentioned in commit acfaa35b

TOTP provides no inherent replay protection. Services may elect to guard against replays by refusing to accept a valid code more than once, but this can ensnare legitimate users who log in more than once within a TOTP window.

@bmortier Do we want replay protection? (This means storing in LDAP used OTP codes to make sure they do not get reused in the 30sec they are valid. Seems expansive for little risk but I’m no security expert.)

mentioned in commit 0b43c626