User MFA Crediential Management

Registered by Amelia Cordwell


Currently there are a number of specs for adding (Password + TOTP) MFA support in keystone. The common way to store these details is using the keystone credentials API with a 'totp' type credential.

Project Scope
    Allow the user to view whether or not they have MFA setup
    Allow the user to add a TOTP credential to their account
    Allow the user to remove TOTP credential from their account
    Make sure that before addition or deletion of a credential that user must provide a valid totp passcode

Horizon Panel:
    A horizon panel to allow for the addition and removal of credentials
    Changes to the Horizon login page to prompt the user for their passcode

Design - Adjutant

This will involve a new action in Adjutant as well as a new taskview associated with that action.

At the main url: /v1/openstack/mfa
    GET will return if the current user has mfa setup
    POST will start a task that creates your totp credential and stores it temporarily, the response will return the totp secret and a token for that task which will be used to submit the passcode and confirm the creation of the credential and that the user has saved the totp credential.
        In the in between stages the token will be stored in keystone as a credential under topt-draft. These will be cleared out each time a new credential is added in.
    DELETE will start the deletion process, respond with an issued token, and on token+passcode submit delete the credential from the user.

The current plan is to only allow a user to have one only active totp credential, for simplicity and better security.

Design - Horizon

A single panel under settings. If the user does not have MFA setup it will display a QR code, secret and box for placing the totp code in. (The QR code will change on page refresh when it starts a new task) If the user has MFA already setup, it will only display an MFA deletion option that requires the user to enter in their current totp passcode in order to remove it.

This is now being developed as a plugin for adjutant as there are developments in keystone for a nicer way of dealing with the problem. Once this is implemented we will change the implementation and place it in core Adjutant however for now we will keep it as a plugin for the interim measure.

Blueprint information

Adrian Turjak
Amelia Cordwell
Amelia Cordwell
Series goal:
Beta Available
Milestone target:
Started by
Amelia Cordwell

Related branches




This is currently being redeveloped as a plugin for Adjutant, as the current implementation of MFA in Keystone is not its final form.


Work Items

This blueprint contains Public information 
Everyone can see this information.


No subscribers.