Successful two factor authentication is a matter of smooth workflows
Thanks to Google and Facebook and a lot of other public services Two-Factor-Authentication or Multi-Factor-Authentication today is known to a lot of users. But sometimes this can lead to a wrong simplification of 2FA.
Two-Factor-Authentication does not equal the simple rolling of a Google Authenticator to the user. Roughly 50% of the Twitter hashtag #2FA is about users complaining to services that they fail to reset their second factor or similar problems.
2FA has arrieved at the masses - but the job has often been done badly.
2FA done right
2FA is done right if it does neither annoy users, administrators nor the management.
The Open Source authentication system privacyIDEA can help to fulfill this task. privacyIDEA is a management system for many different kind of authentication objects (tokens), ranging from Email, SMS and Smartphone Apps over hardware key fob tokens and Yubikeys to virtual tokens like the four-eye-principle or the manamgement of SSH keys.
It runs on premise and integrates into your existing infrastructure, managing tokens for users in SQL databases, LDAP directories or Active Directory. Applications can make use of 2FA via standard protocols like PAM, RADIUS, LDAP or SAML or via the simple REST API.
In this talk we will take a deeper look at the integrated event handler framework, that allows the administrator to automate all tasks and especially trigger new actions in case of certain events.
This way privacyIDEA can easily integrate into any workflow. E.g. it can be triggered by the user management system and then communitcate to the campus printing service to add all necessary 2FA information to be shipped with the initial welcome letter for students. Token attributes can be adapted automatically, administrators or users can be notified in case of any event or the token janitor can take care of the housekeeping of all authentication objects.
Finally successful two factor authentication becomes a matter of how smooth your workflows are and that most things can happen automagically.