I mirror Rubens response, that there exists system-to-system multi-factor authentication for EPP with user name/password, client certificate, and client IP. Does the definition of another second factor, such as TOTP in RFC 6238, applicable to EPP? Michael, are you proposing the use of TOTP for EPP and do you have a concrete use case that you can share?
Thanks, — JG James Gould Distinguished Engineer jgo...@verisign.com 703-948-3271 12061 Bluemont Way Reston, VA 20190 Verisign.com <http://verisigninc.com/> On 4/18/19, 8:35 AM, "regext on behalf of Rubens Kuhl" <regext-boun...@ietf.org on behalf of rube...@nic.br> wrote: Do you mean 3rd or 4th, since most EPP systems already have two factors (password and certificate), and some of those also require IP whitelisting. I believe we already have the tools for the job in this area. And if a registry wants to add some extra layer, the password field could be password12345678 where password is the shared secret and 12345678 is a time-varying part that the EPP clients need to fill according to that registry specification. Rubens > On 18 Apr 2019, at 09:23, Michael Bauland <michael.baul...@knipp.de> wrote: > > Hi, > > I was wondering if one could use the good idea to enhance the security > for EPP logins and take it one step further and add some additional > related feature: the introduction and support of 2-factor authentication. > > While web-based logins are currently in the process of updating and > securing the login process by enforcing/allowing a second factor, this > is not really possible for EPP authentication. If you add an optional > field like "2fa" next to "pw" it could be used for a future 2nd factor. > > What do you think about this? I am aware that 2fa is currently not in > use for automated processes (at least I'm not aware of this), but the > changes to the draft would be minimal now. The future possibility to > submit such a string during the log-in process on the other hand could > be of great benefit. > > Best regards, > > Michael > > -- > ____________________________________________________________________ > | | > | knipp | Knipp Medien und Kommunikation GmbH > ------- Technologiepark > Martin-Schmeisser-Weg 9 > 44227 Dortmund > Germany > > Dipl.-Informatiker Fon: +49 231 9703-0 > Fax: +49 231 9703-200 > Dr. Michael Bauland SIP: michael.baul...@knipp.de > Software Development E-mail: michael.baul...@knipp.de > > Register Court: > Amtsgericht Dortmund, HRB 13728 > > Chief Executive Officers: > Dietmar Knipp, Elmar Knipp > > _______________________________________________ > regext mailing list > regext@ietf.org > https://www.ietf.org/mailman/listinfo/regext _______________________________________________ regext mailing list regext@ietf.org https://www.ietf.org/mailman/listinfo/regext
