On Thu, Jan 24, 2013 at 09:05:39AM -0800, Toshio Kuratomi wrote:
- I know that implementing 2fa to log into fas will cause a lot of breakage that we'll have to fix before we deploy:
- session cookie for fas would have to change so you don't have SSO between FAS and other apps.
Wouldn't it be enough to add a field to the session data that stores whether 2FA has been used or not? Then SSO is still possible from FAS to other apps, but if a valid session is provided, FAS might only ask for a valid token value.
- python-fedora api would need to be modified so it can log into fas.
- web apps would need to be modified so they could log into fas with/without 2fa
You could allow to just concatenate the password and hardware token values and submit this as the new password. I believe this is often implemented with RSA tokens, where a PIN and the current token value need to be provided as password.
Regards Till