Skip to content
mchyzer edited this page May 23, 2013 · 6 revisions

Welcome to Open Two Factor, the open-source two factor system. It is based on the OATH protocol, and can use any OATH based tokens like Google Authenticator (smart phone application), or Yubikey or keyfobs.

Overall architecture

The server which runs the UI and WS is a Java webapp that uses hibernate to talk to Oracle, MySQL, or Postgres. Users can manage their information in the UI (e.g. provision their secret, contact information, see history, etc). The SSO authentication system

Open Two Factor Web Service

This Java webapp will take a request from an SSO and decide if the user requires two factor, or if the two factor code is correct. The web service is RESTful and can use JSON or XML formatting.

Open Two Factor UI

This Java webapp allows users to manage their two factor secret, print out scratch codes for their wallet, manage the profile information (email address, phone numbers, etc). Users can also see audit information about their actions. Admins can use the UI to manage end users.

Open Two Factor Client

The client is a Java jar that can speak the WS protocol (JSON or XML), and can be used as a command line utility.

Open Two Factor PAM

The Pluggable Authentication Module is a C program which called the Java client to see if the credentials are correct. Note, not all users need to be two factor users. Currently, if you are a two factor user, you need to enter your password in the form: myPass||123456

Load the PAM high in the chain, and it will change the pass for the underlying PAM's. This works for SSH, sudo, etc. Note: if using for SSH, you can still use public key authn and bypass two factor.

Here is a movie demonstration

Authentication methods

Generally users will use the free Google Authenticator smart phone app. This does not communicate with any server, it is a standalone app. It is provisioned with the Open Two Factor UI via QR code.

You can use a keyfob such as yubikey or deepnetsecurity keychain or wallet tokens. Those have been successfully tested and integrated. Others should work, such as seamoon. OATH tokens can be time based (TOTP) or sequential (HOTP). TOTP can be 20, 30, or 60 second intervals. TOTP is recommended.

If the primary phone/token is not available, users can have scratch codes printed out in their wallet, which can be used sequentially.

If the primary phone/token/scratch codes are not available, the user can go to the UI and get a temporary 6 digit code sent to their phone via text or voice. This uses a pluggable interface, which is implemented for twilio, smsmatrix, or both in a failover mode (recommended). These services are inexpensive and easy to setup.

If all else fails, the user can have previously identified colleagues opt them out of two factor.

All of these methods are an attempt to make this system as self-service as possible.

Clone this wiki locally