CAS 6.0.x + MFA: multiple tokens per user?
50 views
Skip to first unread message
Patrick Proniewski
Jul 15, 2019, 5:10:34 AM7/15/19
to cas-...@apereo.org
Hello,
I'm pretty used to MFA as an admin and user but CAS's implementation is quite new to me. At work we have a brand new CAS install with providers enabled for MFA : gauth, yubikey, u2f.
I would like to be able to store more than one physical token for some users: 2 or 3 yubikeys or 2 or 3 u2f key (not both).
I've tried and hack/temper with database content where enrolled tokens are stored, but it was a complete failure. If I have more than one token enrolled for a given user, only one of them will work.
I find it paramount to be able to store a backup 2FA token, and I'm pretty reluctant to user CAS MFA in production if I can give my +30K users a way to enroll more than 1 token.
Thanks,
Patrick
I'm pretty used to MFA as an admin and user but CAS's implementation is quite new to me. At work we have a brand new CAS install with providers enabled for MFA : gauth, yubikey, u2f.
I would like to be able to store more than one physical token for some users: 2 or 3 yubikeys or 2 or 3 u2f key (not both).
I've tried and hack/temper with database content where enrolled tokens are stored, but it was a complete failure. If I have more than one token enrolled for a given user, only one of them will work.
I find it paramount to be able to store a backup 2FA token, and I'm pretty reluctant to user CAS MFA in production if I can give my +30K users a way to enroll more than 1 token.
Thanks,
Patrick
Patrick Proniewski
Jul 19, 2019, 5:46:59 AM7/19/19
to cas-...@apereo.org
Anyone ?
I'm quite surprised to be alone wanting to enroll more than one U2F or Yubikey per user…
Any hint appreciated.
Thanks,
Patrick
I'm quite surprised to be alone wanting to enroll more than one U2F or Yubikey per user…
Any hint appreciated.
Thanks,
Patrick
HURTEVENT VINCENT
Jul 19, 2019, 8:58:01 AM7/19/19
to cas-...@apereo.org
Hello Patrick,
> Le 19 juil. 2019 à 11:46, Patrick Proniewski <patrick.p...@univ-lyon2.fr> a écrit :
>
> I'm quite surprised to be alone wanting to enroll more than one U2F or Yubikey per user…
>
I think that it’s not appropriate to have multiple active tokens if the main goal is to harden authentication using MFA.
Maybe the best way to reduce support in case of lost token, is to provide at first 2 (or more) tokens (1 production and 1 backup) to the user and an organizational process where IT could quickly swap token on a user call and identity check.
> --
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/326F7E8E-326E-41C4-908D-EE0891594BA1%40univ-lyon2.fr.
> Le 19 juil. 2019 à 11:46, Patrick Proniewski <patrick.p...@univ-lyon2.fr> a écrit :
>
> I'm quite surprised to be alone wanting to enroll more than one U2F or Yubikey per user…
>
Maybe the best way to reduce support in case of lost token, is to provide at first 2 (or more) tokens (1 production and 1 backup) to the user and an organizational process where IT could quickly swap token on a user call and identity check.
> - Website: https://apereo.github.io/cas
> - Gitter Chatroom: https://gitter.im/apereo/cas
> - List Guidelines: https://goo.gl/1VRrw7
> - Contributions: https://goo.gl/mh7qDG
> ---
> You received this message because you are subscribed to the Google Groups "CAS Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
> To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/326F7E8E-326E-41C4-908D-EE0891594BA1%40univ-lyon2.fr.
Patrick Proniewski
Jul 19, 2019, 10:31:01 AM7/19/19
to cas-...@apereo.org
Bonjour Vincent,
> On 19 Jul 2019, at 14:57, HURTEVENT VINCENT <vincent....@univ-lyon1.fr> wrote:
>
> Hello Patrick,
>
>> Le 19 juil. 2019 à 11:46, Patrick Proniewski <patrick.p...@univ-lyon2.fr> a écrit :
>>
>> I'm quite surprised to be alone wanting to enroll more than one U2F or Yubikey per user…
>
> I think that it’s not appropriate to have multiple active tokens if the main goal is to harden authentication using MFA.
I'm pretty sure it's best practice, in fact it's even endorsed by Google: by default they ask you enrol 2 keys. The registrar Gandi.net lets you enrol as many U2F key you want, too. Many others do allow multiple token or backup 2FA (pretty sure Facebook allows it). Twitter won't let you use U2F unless you give them a phone number that will act as a backup 2FA in case you lose the U2F token. etc.
Also, it looks like to me that a regular user will feel way safer if he knows he has a backup device just in case the 1st one is lost.
Nothing to lose, it's always a win to allow multiple tokens enrolment.
> Maybe the best way to reduce support in case of lost token, is to provide at first 2 (or more) tokens (1 production and 1 backup) to the user and an organizational process where IT could quickly swap token on a user call and identity check.
It's probably worse, at least on our side. We don't allow users to call for a password reset so it's very unlikely we allow them to change 2FA tokens over the phone or by any other remote means.
Cheers,
Patrick
> On 19 Jul 2019, at 14:57, HURTEVENT VINCENT <vincent....@univ-lyon1.fr> wrote:
>
> Hello Patrick,
>
>> Le 19 juil. 2019 à 11:46, Patrick Proniewski <patrick.p...@univ-lyon2.fr> a écrit :
>>
>> I'm quite surprised to be alone wanting to enroll more than one U2F or Yubikey per user…
>
> I think that it’s not appropriate to have multiple active tokens if the main goal is to harden authentication using MFA.
Also, it looks like to me that a regular user will feel way safer if he knows he has a backup device just in case the 1st one is lost.
Nothing to lose, it's always a win to allow multiple tokens enrolment.
> Maybe the best way to reduce support in case of lost token, is to provide at first 2 (or more) tokens (1 production and 1 backup) to the user and an organizational process where IT could quickly swap token on a user call and identity check.
Cheers,
Patrick
Reply all
Reply to author
Forward
0 new messages