SlideShare a Scribd company logo

[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG

Worteks, profile picture
Worteks

This document summarizes multi-factor authentication (MFA) and its implementation in LemonLDAP::NG. MFA requires two or more factors of authentication, such as something you know (password), have (token), or are (biometrics). LemonLDAP::NG allows adding a second authentication step via one-time passwords (TOTP), Universal 2nd Factor (U2F) security keys, or external programs. Users can self-register and manage their MFA settings, and administrators can view current MFA sessions.

Software
Related topics:
Information Security Free Software
1 of 19
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Second factor authentication in LemonLDAP::NG Pass the SALT 2018 Xavier GUIMARD Clément OUDOT
MFA / 2FA / OTP / U2F ?
Multi Factor Authentication Multi-factor authentication (MFA) is a method of confrming a user's claimed identity in which a user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism: ● knowledge (something they and only they know) ● possession (something they and only they have) ● inherence (something they and only they are) Definition from Wikipedia
Why you need it ● Passwords are still the main security token used to authenticate ● With GPU and rainbow tables it is more and more easy to crack a password ● A password base can be stolen ● Second factor authentication is hype (see Twitter, Github, LinkedIn...)
One-Time Password ● One-Time Password (OTP) is a password that is valid for only one login session or transaction ● Two standards: – HOTP (RFC 4226): HMAC-Based One-Time Password – TOTP (RFC 6238): Time-Based One-Time Password ● Rely on a secret shared between user and server
TOTP ● Shared secret key K ● T0: start time ● TI: time interval ● Time Counter TC = foor((unixtime(now) − unixtime(T0)) / TI) ● TOTP = Truncate( SHA1(K 0x5c5c… SHA1(K⊕ ∥ 0x3636… TC)) ) & 0x7FFFFFFF⊕ ∥ ● TOTP Value = TOTP mod 10d, where d is the desired number of digits of the one-time password
Using a TOTP ● Registration on client: shared key can be registered manually or using a QR code ● Server associates shared secret to user ● At next authentication, TOTP value is computed by client and server
Universal Second Factor ● Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifes two-factor authentication using specialized USB or NFC devices. ● Managed by FIDO Alliance https://fdoalliance.org/ ● Support in modern browsers: – Chrome/Chromium ≥ 38 – Firefox: ● 38 to 56 with U2F Support Add-on ● 57 to 59, with “security.webauth.u2f” set to “true” in “about:confg” ● probably enabled by default for versions ≥ 60 – Opera ≥ 40
Using U2F ● Registration: Token generates private/public keys and a handle and send public key and handle to server ● The server associates the public key and the handle to user ● At next authentication, server sends the handle and a crypto challenge and the U2F token signs the challenge and sends it back
[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG
[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG
Implementation in LemonLDAP::NG
LemonLDAP::NG ● WebSSO, Access Control and Identity Provider ● Apache, Nginx, Node.js, Plack support ● Default protection by Handler, identity forwarded trough HTTP headers ● Standard protocols: CAS, SAML and OpenID Connect ● Self services (password change, password lost, account registration) ● GPL License ● https://lemonldap-ng.org
2FA implementation ● New feature for 2.0 major version ● Possibility to add a second authentication step to any current authentication method ● A lot of possibilities to ask a second factor: – U2F tokens – TOTP (to use with FreeOTP, Google-Authenticator,…) – U2F-or-TOTP (enable both U2F and TOTP) – Yubikey tokens provide by Yubico – REST (Remote REST app) – External 2F (to call an external command)
Ask for second factor
User self registration
User self management
2FA sessions explorer
[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG

More Related Content

PPT
MQTT security
Anthony Chow
 
PDF
The Easy Way to Secure Microservices
Michael Hofmann
 
PDF
Last mile authentication problem: Exploiting the missing link in end-to-end s...
Priyanka Aash
 
PDF
FIPS 140-2 Validations in a Secure Enclave
wolfSSL
 
PDF
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
Worteks
 
PDF
wolfSSL and TLS 1.3
wolfSSL
 
PPSX
Secure socket layer
Nishant Pahad
 
PPTX
Bitcoin cryptography
Vadym Hrusha
 
MQTT security
Anthony Chow
 
The Easy Way to Secure Microservices
Michael Hofmann
 
Last mile authentication problem: Exploiting the missing link in end-to-end s...
Priyanka Aash
 
FIPS 140-2 Validations in a Secure Enclave
wolfSSL
 
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
Worteks
 
wolfSSL and TLS 1.3
wolfSSL
 
Secure socket layer
Nishant Pahad
 
Bitcoin cryptography
Vadym Hrusha
 

Similar to [Pass The SALT 2018] Second factor authentication in LemonLDAP::NG (20)

PPTX
Google authentication
NexThoughts Technologies
 
PDF
The OpenID Connect Protocol
Clément OUDOT
 
PPTX
Fido U2F Protocol by Ather Ali
OWASP Delhi
 
PPTX
Fido U2F PROTOCOL
Ather Ali
 
PPTX
DFIR Training: RDP Triage
Christopher Gerritz
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PPTX
Digital authentication
allanh0526
 
PDF
WebAuthn & FIDO2
Leonard Moustacchis
 
PPTX
Security Best Practices for Your Ignition System
Inductive Automation
 
PDF
FIDO U2F 1.0 Specs: Overview and Insights
FIDO Alliance
 
PPTX
OpenId Connect Protocol
Michael Furman
 
PDF
Securing Your Resources with Short-Lived Certificates!
All Things Open
 
PDF
Industry Best Practices for SSH Access
DevOps.com
 
PDF
Industry Best Practices For SSH - DevOps.com Webinar
Teleport
 
PDF
Creating OTP with free software
Giuseppe Paterno'
 
PDF
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
PDF
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
PDF
Fast IDentity Online New wave of open authentication standards
.NET Crowd
 
PDF
FIDO2 and Microsoft
FIDO Alliance
 
PDF
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CloudIDSummit
 
Google authentication
NexThoughts Technologies
 
The OpenID Connect Protocol
Clément OUDOT
 
Fido U2F Protocol by Ather Ali
OWASP Delhi
 
Fido U2F PROTOCOL
Ather Ali
 
DFIR Training: RDP Triage
Christopher Gerritz
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
Digital authentication
allanh0526
 
WebAuthn & FIDO2
Leonard Moustacchis
 
Security Best Practices for Your Ignition System
Inductive Automation
 
FIDO U2F 1.0 Specs: Overview and Insights
FIDO Alliance
 
OpenId Connect Protocol
Michael Furman
 
Securing Your Resources with Short-Lived Certificates!
All Things Open
 
Industry Best Practices for SSH Access
DevOps.com
 
Industry Best Practices For SSH - DevOps.com Webinar
Teleport
 
Creating OTP with free software
Giuseppe Paterno'
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
Fast IDentity Online New wave of open authentication standards
.NET Crowd
 
FIDO2 and Microsoft
FIDO Alliance
 
CIS14: An Overview of FIDO’s Universal 2nd Factor (U2F) Specification
CloudIDSummit
 
Ad

More from Worteks (20)

PDF
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
Worteks
 
PDF
[Identity Days 2021] W'IDaaS - Identity as a Service
Worteks
 
PDF
[Identity Days 2021] Quel avenir pour OpenLDAP ?
Worteks
 
PDF
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
Worteks
 
PDF
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
Worteks
 
PDF
[AFUP Lyon 2021] LDAP Tool Box Self Service Password
Worteks
 
PDF
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
Worteks
 
PDF
[Campus du Libre 2020] Présentation de la solution W'Sweet
Worteks
 
PDF
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
Worteks
 
PDF
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
Worteks
 
PDF
[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...
Worteks
 
PDF
[OW2online 2020] LDAP Synchronization Connector
Worteks
 
PDF
[Aperhologramme 2020] Comment faire du logiciel libre ?
Worteks
 
PDF
[POSS 2019] OVirt and Ceph: Perfect Combination.?
Worteks
 
PDF
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
Worteks
 
PDF
[POSS 2019] TLS for Dummies
Worteks
 
PDF
[POSS 2019] Learn AWK in 15 minutes
Worteks
 
PDF
[LDAPCon 2019] The FusionIAM initiative
Worteks
 
PDF
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
Worteks
 
PDF
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
Worteks
 
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
Worteks
 
[Identity Days 2021] W'IDaaS - Identity as a Service
Worteks
 
[Identity Days 2021] Quel avenir pour OpenLDAP ?
Worteks
 
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
Worteks
 
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
Worteks
 
[AFUP Lyon 2021] LDAP Tool Box Self Service Password
Worteks
 
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
Worteks
 
[Campus du Libre 2020] Présentation de la solution W'Sweet
Worteks
 
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
Worteks
 
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
Worteks
 
[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...
Worteks
 
[OW2online 2020] LDAP Synchronization Connector
Worteks
 
[Aperhologramme 2020] Comment faire du logiciel libre ?
Worteks
 
[POSS 2019] OVirt and Ceph: Perfect Combination.?
Worteks
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
Worteks
 
[POSS 2019] TLS for Dummies
Worteks
 
[POSS 2019] Learn AWK in 15 minutes
Worteks
 
[LDAPCon 2019] The FusionIAM initiative
Worteks
 
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
Worteks
 
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
Worteks
 
Ad

Recently uploaded (20)

PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PPTX
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
System and Network Administration Chapter 2
jaramharo
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Embracing Complexity in Serverless! GOTO Serverless Bengaluru
SheenBrisals
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Introduction Database Management System for Course Database
ReinertYosua
 
wealthsignaloriginal-com-DS-text-... (1).pdf
skmiani786
 

[Pass The SALT 2018] Second factor authentication in LemonLDAP::NG

  • 1. Second factor authentication in LemonLDAP::NG Pass the SALT 2018 Xavier GUIMARD Clément OUDOT
  • 2. MFA / 2FA / OTP / U2F ?
  • 3. Multi Factor Authentication Multi-factor authentication (MFA) is a method of confrming a user's claimed identity in which a user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism: ● knowledge (something they and only they know) ● possession (something they and only they have) ● inherence (something they and only they are) Definition from Wikipedia
  • 4. Why you need it ● Passwords are still the main security token used to authenticate ● With GPU and rainbow tables it is more and more easy to crack a password ● A password base can be stolen ● Second factor authentication is hype (see Twitter, Github, LinkedIn...)
  • 5. One-Time Password ● One-Time Password (OTP) is a password that is valid for only one login session or transaction ● Two standards: – HOTP (RFC 4226): HMAC-Based One-Time Password – TOTP (RFC 6238): Time-Based One-Time Password ● Rely on a secret shared between user and server
  • 6. TOTP ● Shared secret key K ● T0: start time ● TI: time interval ● Time Counter TC = foor((unixtime(now) − unixtime(T0)) / TI) ● TOTP = Truncate( SHA1(K 0x5c5c… SHA1(K⊕ ∥ 0x3636… TC)) ) & 0x7FFFFFFF⊕ ∥ ● TOTP Value = TOTP mod 10d, where d is the desired number of digits of the one-time password
  • 7. Using a TOTP ● Registration on client: shared key can be registered manually or using a QR code ● Server associates shared secret to user ● At next authentication, TOTP value is computed by client and server
  • 8. Universal Second Factor ● Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifes two-factor authentication using specialized USB or NFC devices. ● Managed by FIDO Alliance https://fdoalliance.org/ ● Support in modern browsers: – Chrome/Chromium ≥ 38 – Firefox: ● 38 to 56 with U2F Support Add-on ● 57 to 59, with “security.webauth.u2f” set to “true” in “about:confg” ● probably enabled by default for versions ≥ 60 – Opera ≥ 40
  • 9. Using U2F ● Registration: Token generates private/public keys and a handle and send public key and handle to server ● The server associates the public key and the handle to user ● At next authentication, server sends the handle and a crypto challenge and the U2F token signs the challenge and sends it back
  • 13. LemonLDAP::NG ● WebSSO, Access Control and Identity Provider ● Apache, Nginx, Node.js, Plack support ● Default protection by Handler, identity forwarded trough HTTP headers ● Standard protocols: CAS, SAML and OpenID Connect ● Self services (password change, password lost, account registration) ● GPL License ● https://lemonldap-ng.org
  • 14. 2FA implementation ● New feature for 2.0 major version ● Possibility to add a second authentication step to any current authentication method ● A lot of possibilities to ask a second factor: – U2F tokens – TOTP (to use with FreeOTP, Google-Authenticator,…) – U2F-or-TOTP (enable both U2F and TOTP) – Yubikey tokens provide by Yubico – REST (Remote REST app) – External 2F (to call an external command)
  • 15. Ask for second factor