lemonldap-ng/doc/pages/documentation/current/secondfactor.html

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:secondfactor</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,secondfactor"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="secondfactor.html"/>
<link rel="contents" href="secondfactor.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:secondfactor","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#providing_tokens_from_an_external_source">Providing tokens from an external source</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#u2f_tokens">U2F Tokens</a></div></li>
<li class="level2"><div class="li"><a href="#totp_tokens">TOTP Tokens</a></div></li>
<li class="level2"><div class="li"><a href="#yubikey_tokens">Yubikey Tokens</a></div></li>
</ul>
</li>
<li class="level1"><div class="li"><a href="#developer_corner">Developer corner</a></div></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="second_factors">Second Factors</h1>
<div class="level1">

<p>
Two-Factor Authentication <em>(as known as 2FA)</em> is a kind (subset) of <a href="https://en.wikipedia.org/wiki/Multi-factor_authentication" class="urlextern" title="https://en.wikipedia.org/wiki/Multi-factor_authentication"  rel="nofollow">multi-factor authentication</a>. It is a method to confirm a user&#039;s claimed identity by using a combination of two different factors between:
</p>
<ol>
<li class="level1"><div class="li"> something they know <em>(login / password, …)</em></div>
</li>
<li class="level1"><div class="li"> something they have <em>(U2F Key, smartphone, …) </em> </div>
</li>
<li class="level1"><div class="li"> something they are <em>(biometrics like fingerprints, ...)</em></div>
</li>
</ol>

<p>
Since 2.0, LLNG provides some second factor plugins that can be used to complete authentication module with 2FA :
</p>
<ul>
<li class="level1"><div class="li"> <a href="u2f.html" class="wikilink1" title="documentation:2.0:u2f">U2F tokens</a></div>
</li>
<li class="level1"><div class="li"> <a href="totp2f.html" class="wikilink1" title="documentation:2.0:totp2f">TOTP</a> <em>(to use with <a href="https://freeotp.github.io/" class="urlextern" title="https://freeotp.github.io/"  rel="nofollow">FreeOTP</a>, <a href="https://en.wikipedia.org/wiki/Google_Authenticator" class="urlextern" title="https://en.wikipedia.org/wiki/Google_Authenticator"  rel="nofollow">Google-Authenticator</a>,…)</em></div>
</li>
<li class="level1"><div class="li"> <a href="utotp2f.html" class="wikilink1" title="documentation:2.0:utotp2f">U2F-or-TOTP</a> <em>(enable both U2F and TOTP)</em></div>
</li>
<li class="level1"><div class="li"> <a href="yubikey2f.html" class="wikilink1" title="documentation:2.0:yubikey2f">Yubikey tokens</a> <em> provide by Yubico</em> </div>
</li>
<li class="level1"><div class="li"> <a href="rest2f.html" class="wikilink1" title="documentation:2.0:rest2f">REST</a> <em>(Remote REST app)</em> </div>
</li>
<li class="level1"><div class="li"> <a href="external2f.html" class="wikilink1" title="documentation:2.0:external2f">External 2F</a> <em>(to call an external command)</em> </div>
</li>
<li class="level1"><div class="li"> <a href="mail2f.html" class="wikilink1" title="documentation:2.0:mail2f">E-Mail 2F</a> <em>(Send a code to an email address)</em> </div>
</li>
</ul>

<p>
The E-Mail, External and REST 2F modules <a href="sfextra.html" class="wikilink1" title="documentation:2.0:sfextra">may be declared multiple times</a> with different sets of parameters.
</p>
<div class="notetip">If you want to force a 2F registration on first login, you can use &#039;Require 2FA&#039;. You can also use a rule to force 2FA registration only for some users.
</div><div class="notetip">You can display a message if an expired second factor has been removed by enabling &#039;Display a message if an expired SF is removed&#039; option or setting a rule.
</div>
</div>
<!-- EDIT1 SECTION "Second Factors" [1-1523] -->
<h2 class="sectionedit2" id="providing_tokens_from_an_external_source">Providing tokens from an external source</h2>
<div class="level2">

<p>
If you don&#039;t want to use self-registration features for U2F, TOTP and so on, you can set tokens by yourself <em>(in your LDAP server for example)</em> and map it to <code>_2fDevices</code> attribute. <code>_2fDevices</code> is a JSON array that contains token descriptions :
</p>
<pre class="code json">[ {&quot;type&quot; : &quot;TOTP&quot;, &quot;name&quot; : &quot;MyTOTP&quot;, …}, {&lt;other_token&gt;}, …]</pre>

</div>
<!-- EDIT2 SECTION "Providing tokens from an external source" [1524-1917] -->
<h3 class="sectionedit3" id="u2f_tokens">U2F Tokens</h3>
<div class="level3">
<pre class="code json">{&quot;name&quot; : &quot;MyU2FKey&quot; , &quot;type&quot; : &quot;U2F&quot; , &quot;_userKey&quot; : &quot;########&quot; , &quot;_keyHandle&quot;:&quot;########&quot; , &quot;epoch&quot;:&quot;1524078936&quot;}</pre>

</div>
<!-- EDIT3 SECTION "U2F Tokens" [1918-2075] -->
<h3 class="sectionedit4" id="totp_tokens">TOTP Tokens</h3>
<div class="level3">
<pre class="code json">{&quot;name&quot; : &quot;MyTOTP&quot; , &quot;type&quot; : &quot;TOTP&quot; , &quot;_secret&quot; : &quot;########&quot; , &quot;epoch&quot; : &quot;1523817955&quot;}</pre>

</div>
<!-- EDIT4 SECTION "TOTP Tokens" [2076-2208] -->
<h3 class="sectionedit5" id="yubikey_tokens">Yubikey Tokens</h3>
<div class="level3">
<pre class="code json">{&quot;name&quot; : &quot;MyYubikey&quot; , &quot;type&quot; : &quot;UBK&quot; , &quot;_yubikey&quot; : &quot;########&quot; , &quot;epoch&quot; : &quot;1523817715&quot;}</pre>

</div>
<!-- EDIT5 SECTION "Yubikey Tokens" [2209-2347] -->
<h2 class="sectionedit6" id="developer_corner">Developer corner</h2>
<div class="level2">

<p>
To develop a new 2FA plugin, read <code>Lemonldap::NG::Portal::Main::SecondFactor (3pm)</code> manpage. Your 2F module must be a Perl class named <code>Lemonldap::NG::Portal::2F::<em>&lt;custom_name&gt;</em></code>. To enable it, set <code>available2F</code> key in your <code>lemonldap-ng.ini</code> file :
</p>
<pre class="code ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">available2F</span> <span class="sy0">=</span><span class="re2"> U2F,TOTP,&lt;custom_name&gt;</span></pre>

<p>
To enable manager Second Factor Administration Module, set <code>enabledModules</code> key in your <code>lemonldap-ng.ini</code> file : 
</p>
<pre class="code ini"><span class="re0"><span class="br0">&#91;</span>portal<span class="br0">&#93;</span></span>
<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions, notifications, 2ndFA</span></pre>

</div>
<!-- EDIT6 SECTION "Developer corner" [2348-] --></div>
</body>
</html>
make documentation 8 years ago			`<!DOCTYPE html>`
			`<html lang="en" dir="ltr">`
			`<head>`
			`<meta charset="utf-8" />`
			`<title>documentation:2.0:secondfactor</title>`
			`<meta name="generator" content="DokuWiki"/>`
Update doc 8 years ago			`<meta name="robots" content="index,follow"/>`
make documentation 8 years ago			`<meta name="keywords" content="documentation,2.0,secondfactor"/>`
			`<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>`
			`<link rel="start" href="secondfactor.html"/>`
			`<link rel="contents" href="secondfactor.html" title="Sitemap"/>`
			`<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>`
			`<!-- //if:usedebianlibs`
			`<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />`
			`//elsif:useexternallibs`
			`<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>`
			`//elsif:cssminified`
			`<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />`
			`//else -->`
			`<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />`
			`<!-- //endif -->`
			`<script type="text/javascript">/<![CDATA[/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:secondfactor","namespace":"documentation:2.0"};`
			`/!]]>/</script>`
			`<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>`
			`<!-- //if:usedebianlibs`
			`<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>`
			`//elsif:useexternallibs`
			`<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>`
			`//elsif:jsminified`
			`<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>`
			`//else -->`
			`<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>`
			`<!-- //endif -->`
			`<!-- //if:usedebianlibs`
			`<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>`
			`//elsif:useexternallibs`
			`<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>`
			`//elsif:jsminified`
			`<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>`
			`//else -->`
			`<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>`
			`<!-- //endif -->`
			`</head>`
			`<body>`
			`<div class="dokuwiki export container">`
Add cli_examples.html in doc 8 years ago			`<!-- TOC START -->`
			`<div id="dw__toc">`
			`<h3 class="toggle">Table of Contents</h3>`
			`<div>`
make documentation 8 years ago
Add cli_examples.html in doc 8 years ago			`<ul class="toc">`
			`<li class="level1"><div class="li"><a href="#providing_tokens_from_an_external_source">Providing tokens from an external source</a></div>`
			`<ul class="toc">`
			`<li class="level2"><div class="li"><a href="#u2f_tokens">U2F Tokens</a></div></li>`
			`<li class="level2"><div class="li"><a href="#totp_tokens">TOTP Tokens</a></div></li>`
			`<li class="level2"><div class="li"><a href="#yubikey_tokens">Yubikey Tokens</a></div></li>`
			`</ul>`
			`</li>`
Spelling errors 8 years ago			`<li class="level1"><div class="li"><a href="#developer_corner">Developer corner</a></div></li>`
Add cli_examples.html in doc 8 years ago			`</ul>`
			`</div>`
			`</div>`
			`<!-- TOC END -->`

			`<h1 class="sectionedit1" id="second_factors">Second Factors</h1>`
make documentation 8 years ago			`<div class="level1">`

			`<p>`
Update doc 8 years ago			`Two-Factor Authentication <em>(as known as 2FA)</em> is a kind (subset) of <a href="https://en.wikipedia.org/wiki/Multi-factor_authentication" class="urlextern" title="https://en.wikipedia.org/wiki/Multi-factor_authentication" rel="nofollow">multi-factor authentication</a>. It is a method to confirm a user's claimed identity by using a combination of two different factors between:`
make documentation 8 years ago			`</p>`
			`<ol>`
Update doc 8 years ago			`<li class="level1"><div class="li"> something they know <em>(login / password, …)</em></div>`
make documentation 8 years ago			`</li>`
Update doc 8 years ago			`<li class="level1"><div class="li"> something they have <em>(U2F Key, smartphone, …) </em> </div>`
Add cli_examples.html in doc 8 years ago			`</li>`
Update documentation 7 years ago			`<li class="level1"><div class="li"> something they are <em>(biometrics like fingerprints, ...)</em></div>`
make documentation 8 years ago			`</li>`
			`</ol>`

			`<p>`
Update doc + Omegat conf 8 years ago			`Since 2.0, LLNG provides some second factor plugins that can be used to complete authentication module with 2FA :`
make documentation 8 years ago			`</p>`
			`<ul>`
			`<li class="level1"><div class="li"> <a href="u2f.html" class="wikilink1" title="documentation:2.0:u2f">U2F tokens</a></div>`
			`</li>`
Update doc 8 years ago			`<li class="level1"><div class="li"> <a href="totp2f.html" class="wikilink1" title="documentation:2.0:totp2f">TOTP</a> <em>(to use with <a href="https://freeotp.github.io/" class="urlextern" title="https://freeotp.github.io/" rel="nofollow">FreeOTP</a>, <a href="https://en.wikipedia.org/wiki/Google_Authenticator" class="urlextern" title="https://en.wikipedia.org/wiki/Google_Authenticator" rel="nofollow">Google-Authenticator</a>,…)</em></div>`
make documentation 8 years ago			`</li>`
			`<li class="level1"><div class="li"> <a href="utotp2f.html" class="wikilink1" title="documentation:2.0:utotp2f">U2F-or-TOTP</a> <em>(enable both U2F and TOTP)</em></div>`
			`</li>`
Add cli_examples.html in doc 8 years ago			`<li class="level1"><div class="li"> <a href="yubikey2f.html" class="wikilink1" title="documentation:2.0:yubikey2f">Yubikey tokens</a> <em> provide by Yubico</em> </div>`
make documentation 8 years ago			`</li>`
Update doc 8 years ago			`<li class="level1"><div class="li"> <a href="rest2f.html" class="wikilink1" title="documentation:2.0:rest2f">REST</a> <em>(Remote REST app)</em> </div>`
make documentation 8 years ago			`</li>`
Update doc 8 years ago			`<li class="level1"><div class="li"> <a href="external2f.html" class="wikilink1" title="documentation:2.0:external2f">External 2F</a> <em>(to call an external command)</em> </div>`
make documentation 8 years ago			`</li>`
Update doc 6 years ago			`<li class="level1"><div class="li"> <a href="mail2f.html" class="wikilink1" title="documentation:2.0:mail2f">E-Mail 2F</a> <em>(Send a code to an email address)</em> </div>`
			`</li>`
make documentation 8 years ago			`</ul>`
Update doc 6 years ago
			`<p>`
			`The E-Mail, External and REST 2F modules <a href="sfextra.html" class="wikilink1" title="documentation:2.0:sfextra">may be declared multiple times</a> with different sets of parameters.`
			`</p>`
Update doc 7 years ago			`<div class="notetip">If you want to force a 2F registration on first login, you can use 'Require 2FA'. You can also use a rule to force 2FA registration only for some users.`
			`</div><div class="notetip">You can display a message if an expired second factor has been removed by enabling 'Display a message if an expired SF is removed' option or setting a rule.`
Update documentation 7 years ago			`</div>`
make documentation 8 years ago			`</div>`
Update doc 6 years ago			`<!-- EDIT1 SECTION "Second Factors" [1-1523] -->`
Add cli_examples.html in doc 8 years ago			`<h2 class="sectionedit2" id="providing_tokens_from_an_external_source">Providing tokens from an external source</h2>`
make documentation 8 years ago			`<div class="level2">`

			`<p>`
Add cli_examples.html in doc 8 years ago			`If you don't want to use self-registration features for U2F, TOTP and so on, you can set tokens by yourself <em>(in your LDAP server for example)</em> and map it to <code>_2fDevices</code> attribute. <code>_2fDevices</code> is a JSON array that contains token descriptions :`
			`</p>`
			`<pre class="code json">[ {"type" : "TOTP", "name" : "MyTOTP", …}, {<other_token>}, …]</pre>`

			`</div>`
Update doc 6 years ago			`<!-- EDIT2 SECTION "Providing tokens from an external source" [1524-1917] -->`
Add cli_examples.html in doc 8 years ago			`<h3 class="sectionedit3" id="u2f_tokens">U2F Tokens</h3>`
			`<div class="level3">`
			`<pre class="code json">{"name" : "MyU2FKey" , "type" : "U2F" , "_userKey" : "########" , "_keyHandle":"########" , "epoch":"1524078936"}</pre>`

			`</div>`
Update doc 6 years ago			`<!-- EDIT3 SECTION "U2F Tokens" [1918-2075] -->`
Add cli_examples.html in doc 8 years ago			`<h3 class="sectionedit4" id="totp_tokens">TOTP Tokens</h3>`
			`<div class="level3">`
			`<pre class="code json">{"name" : "MyTOTP" , "type" : "TOTP" , "_secret" : "########" , "epoch" : "1523817955"}</pre>`

			`</div>`
Update doc 6 years ago			`<!-- EDIT4 SECTION "TOTP Tokens" [2076-2208] -->`
Add cli_examples.html in doc 8 years ago			`<h3 class="sectionedit5" id="yubikey_tokens">Yubikey Tokens</h3>`
			`<div class="level3">`
			`<pre class="code json">{"name" : "MyYubikey" , "type" : "UBK" , "_yubikey" : "########" , "epoch" : "1523817715"}</pre>`

			`</div>`
Update doc 6 years ago			`<!-- EDIT5 SECTION "Yubikey Tokens" [2209-2347] -->`
Spelling errors 8 years ago			`<h2 class="sectionedit6" id="developer_corner">Developer corner</h2>`
Add cli_examples.html in doc 8 years ago			`<div class="level2">`

			`<p>`
Spelling errors 8 years ago			`To develop a new 2FA plugin, read <code>Lemonldap::NG::Portal::Main::SecondFactor (3pm)</code> manpage. Your 2F module must be a Perl class named <code>Lemonldap::NG::Portal::2F::<em><custom_name></em></code>. To enable it, set <code>available2F</code> key in your <code>lemonldap-ng.ini</code> file :`
make documentation 8 years ago			`</p>`
			`<pre class="code ini"><span class="re0"><span class="br0">[</span>portal<span class="br0">]</span></span>`
			`<span class="re1">available2F</span> <span class="sy0">=</span><span class="re2"> U2F,TOTP,<custom_name></span></pre>`

Add cli_examples.html in doc 8 years ago			`<p>`
			`To enable manager Second Factor Administration Module, set <code>enabledModules</code> key in your <code>lemonldap-ng.ini</code> file :`
			`</p>`
			`<pre class="code ini"><span class="re0"><span class="br0">[</span>portal<span class="br0">]</span></span>`
			`<span class="re1">enabledModules</span> <span class="sy0">=</span><span class="re2"> conf, sessions, notifications, 2ndFA</span></pre>`

make documentation 8 years ago			`</div>`
Update doc 6 years ago			`<!-- EDIT6 SECTION "Developer corner" [2348-] --></div>`
make documentation 8 years ago			`</body>`
			`</html>`