Great, thanks for the feedback Chris. I think in the first iteration the default plugin that will be shipped will be TOPT (time-based OTP) based such as what a lot of people use with Google authenticator, authy etc. Instead of a "static pin" plugin, maybe we can also do a dynamic email based OTP 2FA plugin too.
Regards. ________________________________ From: [email protected] <[email protected]> Sent: Monday, November 29, 2021 17:14 To: [email protected] <[email protected]> Subject: Re: [DISCUSS] 2FA framework and plugins for CloudStack Hi Rohit, this sounds awesome and for me it is a absolute +1, as in my organization this is a major concern with cloudstack atm. Regarding the puprosed " general-purpose 2FA plugins": I would suggest to exchange the PIN - option against another type of factor, as as far i am aware a user genarated PIN would also "count" as a "knowledge" factor. Maybe one could use the already implemented functions for generating ssh-keypairs to create kind of a "token" which a user needs to present on login (simply saining generate an dedicated key-pair for login purposes to the web-ui / cmk). The admins then could choose on how to provide the token for the users or where to store them. Instead of using "ssh-keys" maybe a certificate / pki approach would also be usefull, as many of using organizations have already some kind of PKI environment running. So Admins could deploy a root-cert for the domain and provide user-certs for authentification / validation. Looking forward to this excitement feature! Regards, Chris Am Mo., 29. Nov. 2021 um 11:49 Uhr schrieb Rohit Yadav < [email protected]>: > All, > > During CCC21 hackathon, I explored the feasibility of a 2FA framework and > a TOTP (time-based OTP) plugin that can be used with Google Authenticator, > MS Authenticator, Authy etc. > > I've used ideas of TOTP based 2FA PoC to put together a design doc for > discussion: > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/2FA+Framework+and+Plugins > > Kindly review and share your feedback. Thanks. > > > Regards. > > > >
