combined password and totp auth plugin for MFA

Registered by Adrian Turjak on 2016-07-18

The current password and totp plugins are separate and there seems to be no way to enforce both at Keystone since the assumption is that a consumer of Keystone will pick which auth methods to use.

This makes the current TOTP plugin not as useful as it could be and the added requirement of the TOTP auth method makes it much harder to use.

This plugin would be an optional replacement of the current password plugin that would also be able to do TOTP checks for users that have TOTP credentials associated with their user account.

It would work by expecting a passcode appended to the password, and if TOTP credentials are present, it would strip the passcode and use it.

This would allow optional multi-factor auth (MFA) on a per user basis without restricting any API access for non-MFA users, and it would also allow MFA enabled users to still use the API, CLI, and Horizon as per normal simply by appending their TOTP passcode to their password.

Blueprint information

Status:
Complete
Approver:
Steve Martinelli
Priority:
Medium
Drafter:
Adrian Turjak
Direction:
Approved
Assignee:
Adrian Turjak
Definition:
Superseded
Series goal:
Accepted for ocata
Implementation:
Needs Code Review
Milestone target:
None
Started by
Adrian Turjak on 2016-07-18
Completed by
Steve Martinelli on 2016-12-21

Related branches

Sprints

Whiteboard

Do we supersede this BP in favor of https://blueprints.launchpad.net/keystone/+spec/per-user-auth-plugin-reqs ?

Yes, we do.

Gerrit topic: https://review.openstack.org/#q,topic:bp/password-totp-plugin,n,z

Addressed by: https://review.openstack.org/343422
    [WIP] combined password+totp auth plugin

Addressed by: https://review.openstack.org/345113
    Extended Password Auth with optional MFA

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.