2 factor authentication with ldap as auth source

[Thomas de Jesus]

I started a conversation regarding 2fa, but basically I was spiraling, not understanding what i was really trying to implement.

I'm hoping I have a better grasp on at least what I am trying to ask.

My setup is idp hosted with a single ldap as the authentication source. I'd like to implement 2fa via SimpleTOTP or any other library. I chose SimpleTOTP as they claim to sit on top of existing authentication sources rather than be the auth source.

But I'm uncertain how to properly integrate the library. I've tried applying the instructions which user example-userpass as the auth source to example-ldap, but I see no instructions on how to actually send to an authenticator app.

I'm using SSP to create a portal like space and want the 2 factor enabled for that initial login, not just with SAML partners. Any SSP login would require 2fa.

And SimpleTOTP may not be the best solution. I could use some advice from anyone using ldap as an auth source with 2 factor authentication.

[Thomas de Jesus]

I've also looked at https://github.com/NIIF/simplesamlphp-module-authtfaga/tree/v1.2.0

But really struggling to implement either. SimplTOTP seems like the best way to go. authsource as normal, just sends you to your authentication app. but I can't seem to get it to work properly.

[Stefan Winter]

Hello,

IMHO, TOTP is very 2010.

FIDO2/WebAuthn is a protocol with a unique selling point in that it prevents MITM and phishing attacks to be successful, even in the presence of keyloggers or other malware.

Also, many laptops and phones these days support software FIDO2 tokens already - I recently ran a student course where 100% of students happened to have FIDO2 on all their personal computing devices.

And for the few cases where FIDO2 would need a USB-based hardware token: they aren't that expensive.

So I'd much rather suggest you look at simplesamlphp-module-webauthn and make FIDO2 tokens your second factor. I'm happy to assist you for deployment questions with 1.19.

In your words, "authsource as normal", the module just makes your browser pop up the token trigger additionally after first-factor auth has passed.

Greetings,

Stefan Winter

Am 07.01.22 um 22:31 schrieb Thomas de Jesus:

--
This is a mailing list for users of SimpleSAMLphp, not a support service. If you are willing to buy commercial support, please take a look here:
 
https://simplesamlphp.org/support
 
Before sending your question, make sure it is related to SimpleSAMLphp, and not your web server's configuration or any other third-party software. This mailing list cannot help with software that uses SimpleSAMLphp, only regarding SimpleSAMLphp itself.
 
Make sure to read the documentation:
 
https://simplesamlphp.org/docs/stable/
 
If you have an issue with SimpleSAMLphp that you cannot resolve and reading the documentation doesn't help, you are more than welcome to ask here for help. Subscribe to the list and send an email with your question. However, you will be expected to comply with some minimum, common sense standards in your questions. Please read this carefully:
 
http://catb.org/~esr/faqs/smart-questions.html
---
You received this message because you are subscribed to the Google Groups "SimpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/simplesamlphp/cf481634-accc-40bc-af06-45386cdd14d5n%40googlegroups.com.

-- 
This email may contain information for limited distribution only, please treat accordingly.

Fondation Restena, Stefan WINTER
Chief Technology Officer
2, avenue de l'Université
L-4365 Esch-sur-Alzette

[Thomas de Jesus]

Stefan,

Any auth protocol that increases security is fine with me. But cost is a huge factor. My institution has major poverty issue. Any security we can provide without passing costs to students is the way to go for us. 

Any help you can provide is greatly appreciated.