Two-Factor Authentication (as known as 2FA) is a kind (subset) of multi-factor authentication. It is a method to confirm a user’s claimed identity by using a combination of two different factors between:
Since 2.0, LLNG provides some second factor plugins that can be used to complete authentication module with 2FA :
The E-Mail, External and REST 2F modules may be declared multiple times with different sets of parameters.
If you want to force a 2F registration on first login, you can use the Force 2FA registration at login option.
You can use a rule<writingrulesand_headers> to enable this behavior only for some users.
You can display a message if an expired second factor has been removed by enabling Display a message if an expired SF is removed option or setting a rule.
User may register second facrots themselves on the Portal by using the 2FA Manager.
The link will be displayed if at least a SFA module is enabled. You can set a rule to display or not the link.
If you enable the Use 2FA for session upgrade option, second factor will only be asked on login if the target application requires an authentication level that is strictly higher than the one obtained by the Authentication backend (first factor).
The session upgrade mechanism will only require the second factor step, instead of doing a complete reauthentication.
If you don’t want to use self-registration features for U2F, TOTP and so
on, you can set tokens by yourself (in your LDAP server for example)
and map it to _2fDevices
attribute. _2fDevices
is a JSON array
that contains token descriptions :
[ {"type" : "TOTP", "name" : "MyTOTP", …}, {<other_token>}, …]
{"name" : "MyU2FKey" , "type" : "U2F" , "_userKey" : "########" , "_keyHandle":"########" , "epoch":"1524078936"}
{"name" : "MyTOTP" , "type" : "TOTP" , "_secret" : "########" , "epoch" : "1523817955"}
{"name" : "MyYubikey" , "type" : "UBK" , "_yubikey" : "########" , "epoch" : "1523817715"}
To develop a new 2FA plugin, read
Lemonldap::NG::Portal::Main::SecondFactor (3pm)
manpage. Your 2F
module must be a Perl class named
Lemonldap::NG::Portal::2F:://<custom_name>//
. To enable it, set
available2F
key in your lemonldap-ng.ini
file :
[portal]
available2F = U2F,TOTP,<custom_name>
To enable manager Second Factor Administration Module, set
enabledModules
key in your lemonldap-ng.ini
file :
[portal]
enabledModules = conf, sessions, notifications, 2ndFA