Google Authenticator integration??

luke p

unread,

Aug 7, 2013, 1:44:06 PM8/7/13

to pwm-g...@googlegroups.com

Has anyone tried integrating a One-Time Password system like Google Authenticator into PWM?

The use case would be:
- user accesses PWM website
- user prompted for time-based password code [instead of verification steps like Q/A]
- user gets time-based code from OTP/Google Authenticator app
- user inputs code to PWM website
- user granted access and allowed to reset directory password

(this assumes the OTP secret key is already in the directory, or in the PWM database somewhere - can deal with enrollment and key storage separately)

From my read through the documentation, I'm assuming no. So the follow up question is if the PWM system were to check with some OTP calculation component, how would that be accomplished? I'm willing to code the implementation if necessary, I just need some pointers of how to accomplish this properly within the framework?

Enrollment would be a separate discussion - OTP secret key could be built into the enrollment process, the Google Authenticator style system lets a QR code be generated for easy photo scanning into a mobile app. However - for purposes of this discussion, I'd like to focus on the verification part first, and deal with enrollment later.

Appreciate your help folks!!

Menno Pieters

unread,

Aug 7, 2013, 3:06:01 PM8/7/13

to pwm-g...@googlegroups.com

Hi Dan,

Great idea :-) I've been thinking about this, too. The thing I've been puzzling with is not how to implement it, but where in the product. I could think of it as a replacement for the email/SMS token or as an addition (yet another possible step); I would tend to do the latter.

One more important thing to consider is where the shared secret is stored. This would most likely be any of LDAP (additional attribute), LocalDB (PwmDB) or database (additional table).

What needs to be implemented:

Configuration settings (additional section, options for forgotten password)
(Forced) setup of OTP secrets
Verification in forgotten password steps

Regards,

Menno

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/f92c56ee-e0f7-4435-bff1-41eb621e029e%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

sebastiaan...@gmail.com

unread,

Aug 8, 2013, 6:23:12 AM8/8/13

to pwm-g...@googlegroups.com, dan.ro...@gmail.com

Great idea indeed! The cool thing is that enrollment by PWM inside eDir LDAP can be used afterwards by NetIQ Access Manager for two-factor authentication:

https://www.netiq.com/communities/coolsolutions/how-to-integrate-netiq-access-manager-with-google-authenticator-for-two-factor-authentication/

sebastiaan...@gmail.com

unread,

Nov 5, 2013, 7:34:14 AM11/5/13

to pwm-g...@googlegroups.com, dan.ro...@gmail.com, sebastiaan...@gmail.com

Minor update from my side: I've created a Proof of Concept to consume the current trunk PWM OTP functionality inside NAM. I've written a Custom Authentication class so that you can use One Time Passwords for protected resources.

Jason Rivard

unread,

Nov 5, 2013, 12:42:16 PM11/5/13

to pwm-general

Just curious sebastiaan, how is this different then the google auth class in the article linked above?

--
You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.
To post to this group, send email to pwm-g...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/eda875bf-279b-49b4-910e-2e9a07eb6314%40googlegroups.com.

sebastiaan...@gmail.com

unread,

Nov 8, 2013, 4:26:09 AM11/8/13

to pwm-g...@googlegroups.com

It is quite similar, but also a bit different:

- no Secret Key registration is present (this is handled by PWM)
- the dependency on com.novell.nidp.common.util.obfuscation is removed. Instead I implemented the PWM logic for decryption of the OTP secret that is stored in eDir.
- Added more properties on the Local Authetication Class. I.e. you can now define the PWM Security Key inside your NAM Admin Console

Lars Fredrik Bach

unread,

May 11, 2015, 4:41:43 PM5/11/15

to pwm-g...@googlegroups.com, dan.ro...@gmail.com

Hey all.

I've been fiddling around with this too, and to higher the security and auth-level a solution with two-factor authenticating would be nice.

Has anyone looked into the opportunity to implement the following auth-method?:

1. User types in username and username

2. A token code is sent to registered mobilephone-number and the user is authenticated and can go further on to change password.

In other words; it would be great with the same functionality as with forgotten password when authenticating into change password-portal.

Jason Rivard

unread,

May 11, 2015, 11:37:02 PM5/11/15

to pwm-g...@googlegroups.com, dan.ro...@gmail.com, dan.ro...@gmail.com

Google Auth / TOTP support for enrollment and forgotten password authentication has been in the PWM nightlies for some time.

foosa...@gmail.com

unread,

Jun 30, 2019, 1:44:46 PM6/30/19

to pwm-general

On Tuesday, May 12, 2015 at 5:37:02 AM UTC+2, Jason Rivard wrote:
> Google Auth / TOTP support for enrollment and forgotten password authentication has been in the PWM nightlies for some time.

Any chance to have OTP also for user logins? Currently users cannot protect from someone getting credentials this way or another. Being able to login to pwm means, someone could change password, security questions etc. locking out the legit user. Many users do not undertsand why OTP doesnt work once setup for login. Personally I share that view. I think once setup OTP should be also enabled for login.

Additionally, even with OTP setup, when reseting password and having email or security questions enabled, user can choose which one he perefers, rendering OTP userless if attacker knows security questions or took over email.

Grzegorz Skornowicz

unread,

Jul 15, 2022, 7:53:14 AM7/15/22

to pwm-general

+1 to this. It would be great to be able to enforce OTP as second login factor while login to PWM, at least for some users like helpdesk or admins.

Message has been deleted

Paul Hodgdon

unread,

Nov 14, 2022, 7:29:32 AM11/14/22

to pwm-g...@googlegroups.com

You can put SSO in front of the app and use MFA with that.

Paul Hodgdon
Principal Consultant | Identity Works LLC
Epping | New Hampshire 03042 | USA
+1 603 661 1508 (mobile) | +1 603 734 2681 (office)
www.identityworksllc.com

On Mon, Nov 14, 2022 at 6:17 AM Fabio Gastaldi <fgas...@gmail.com> wrote:

Yes this is a real issue in enterprise environments, any idea on how to fix this?

On Sunday, June 30, 2019 at 7:44:46 PM UTC+2 foosa...@gmail.com wrote:

--

You received this message because you are subscribed to the Google Groups "pwm-general" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pwm-general...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/pwm-general/59a9ced4-f4b3-499d-b910-6ceeafa421e9n%40googlegroups.com.

Dino Edwards

unread,

Nov 18, 2022, 8:42:09 AM11/18/22

to pwm-general

I have implemented SSO with MFA with PWM using Authelia. So in this case, Authelia handles the login with MFA (Duo Push, yubikey or TOTP) and then I use trusted headers SSO in PWM.

Shankar Lal

unread,

Aug 30, 2023, 5:43:53 AM8/30/23

to pwm-general

Hi Dino,

Kindly share me the configuration of PWM using Authelia with MFA. I have installed the PWM and Authelia, but I dont know to integrate this two applications. And also dont know how it will work like sso.