Multi-factor Authentication
ProxyIdP offers multi-factor authentication (MFA) using verification codes from an authenticator app (TOTP) and security keys (WebAuthn). Users may also generate backup OTP codes for regaining access in case they lose their tokens. MFA is only performed when it is required by the service or enabled (forced) by the user.
Verification Codes (TOTP)
Time-based one-time password (TOTP) is a standard method for generating one-time verification codes, described in RFC 6238 and used by many commercial services. TOTP app shares a secret key with the server, based on which it generates numeric codes with limited expiration. The most common setting is 6 digit codes and 30 seconds of validity.
You may know this method by many alternative names, including “code from verification app”, “authentication code”, “code from authentication app”, “6 digit code from code generator”, “code from Google Authenticator” or “verification code from the Google Authenticator app”.
The advantage of this method is its versatility - you can copy the one time code from the app in your smartphone to another app, type it on your PC or even a smart TV. The only requirement that the device you want to authenticate on needs to fulfill is the capability to enter digits.
You can use any authenticator (TOTP) app with ProxyIdP, for example Microsoft Authenticator, one of those listed below, or the TOTP capability of your password manager (e.g. BitWarden, 1password, Keychain).
Authenticator Apps Overview
Name | Author | Download | Open Source | Export/backup |
Microsoft Authenticator | no | Microsoft account | ||
Aegis Authenticator | file, Android | |||
Raivo OTP | file, iCloud | |||
2fast | file |
Security Key (WebAuthn)
WebAuthn, short for Web Authentication API, is a modern standard created by W3C and FIDO. This method offers a high level of security while protecting user’s privacy, and it is easy to use. Verification is based on asymmetric cryptography and the challenge-response mechanism, it also has a built-in phishing protection. WebAuthn is often a part of the operating system, so most users do not need to install anything on most devices.
You may know this method by different names, including “FIDO2”, “U2F”, “security key verification”, or “universal second factor”.
The advantage of this method is its simplicity - users do not need to grab their smartphone, open an app and type in a code, they just confirm the authentication, e.g. by pressing a button or using a fingerprint. ProxyIdP allows to register various devices and use a different method of authentication in each one depending on the device’s capabilities.
In order to use WebAuthn, one of the supported web browsers has to be used together with the operating system capability, an app or a physical key (e.g. a YubiKey). All web browsers officially supported by ProxyIdP support security keys.
TouchID (or FaceID) cannot be used in Firefox on macOS.
For more details, check out webauthn.io and webauthn.me.
Operating Systems Which Can Be Used as a Security Key
Windows 10+ (Windows Hello)
macOS 10.15+ (only some browsers depending on version)
Android 7+ (a screen lock must be set - e.g. a fingerprint or face recognition)
Using macOS as a security key in Safari is possible only if the device has Touch ID or Face ID. In some cases, the security key cannot be used in a private window.
Applications Which Can Be Used as a Security Key
The Linux operating system does not include a security key capability. Linux users can use tpm-fido, which emulates a security key and stores private keys securely into TPM.
The computer has to have a TPM and the web browser must not have restricted permissions, e.g. as a snap package, in order to have access to the emulated USB device.
Another option is to use a password manager with security key capability, for example Dashlane.
Physical Security Keys Which We Have Tested
YubiKey (Yubico)
Idem Key (GoTrust)
Feitian
SoloKey
OnlyKey
ProxyIdP should work with any security key which adheres to the WebAuthn standard, but we recommend using FIDO2 certified products.
There are several methods to connect a physical key, it depends on the key and device combination. Most keys offer USB connection (USB-A or USB-C), rarely there is a lightning connector. Wireless communication is usually based on NFC, sometimes Bluetooth.
MFA Profile
REFEDS (The Research and Education FEDerations group) defines a Multi-Factor Authentication profile which provides a set of recommendations, best practices and their explanations for facilitating unambiguous communication between the SP (Service provider) and IdP (Identity provider) when MFA is required by the SP.
Service provider is an application providing access to some services or resourcs which need to be protected using MFA. Indentity provider, on the other hand, is a component able to perform the MFA and return a claim containing the result of the authentication.
ProxyIdP acts as an IdP in this exchange. The SP triggers MFA using REFEDS MFA profile and checks whether it was performed successfully based on the claims returned by the IdP in the SAML 2 message.
The profile specifies details about what is considered to be a sufficient MFA on the side of the IdP, how shoud the SP initiate the request for MFA with IdP, what should be the content and order of the communication messages and what are the possible paths in this authentication process. Part of the profile is the definition of a SAML authentication context for communication between the SP and IdP.
Further information about the individual steps of the process including the messages used to request the IdP to perform MFA, possible return values based on the authentication result as well as configuration regarding MFA enforcement can be found in the SP portion of FAQ. Specific information on how to set up MFA enforcement on ProxyIdP using REFEDS MFA profile is provided in the just-in-time provisioning section.
General information about the MFA profile can be found on the REFEDS website and more detailed description of the concept can be found in the MFA profile FAQ section.
Support: perun@cesnet.cz