Multi-factor Authentication for the IAM Sam Glendenning STFC

Multi-factor Authentication for the IAM Sam Glendenning STFC

What is MFA? Providing an additional login factor to verify your identity One-time usage passcode or hyperlink Why so important? Login credentials alone may not be enough for account security The IAM protects: Sensitive accounts Important online infrastructure Sensitive research data

Objectives for MFA in the IAM Easily enabled on any new or existing IAM instantiation Customisable by an IAM admin based on wants and needs Safe and secure Adoptable by everyone

Workflow Individual users may decide whether or not they want MFA to be enabled on their account However, an IAM administrator may enforce MFA on all of their user accounts if they wish Once implemented, users will enable MFA in their account settings They can then control their MFA settings through their account settings page

Multi-factor secret key MFA will initially be available through the use of an authenticator app for mobile devices Examples include Google Authenticator, Microsoft Authenticator, Authy, etc. These apps allow for a QR code containing an MFA secret (plus additional account details) to be scanned and imported through the device’s camera (alternatively, the user can manually enter this information) This secret can then be used by the app to generate time-based one-time passwords every 30 seconds The IAM also possesses this secret so both the user’s app and IAM generate the same passwords at the same time Thus, this can be used for verification of the user

Recovery codes To prevent account lockout in the event of the user losing access to their mobile device, emergency scratch codes are generated for the user’s account These are single-use passwords used in conjunction with the main account password to restore access They are regenerated when used and can be regenerated whenever the user wishes Scratch codes can be viewed at any time in the account settings

Information Security Multi-factor secrets and emergency scratch codes are stored in a secure database All sensitive information is hashed and/or encrypted to a high standard Users have control over their multi-factor settings Can enable/disable MFA as they please (if their federation allows it) Can regenerate scratch codes at their leisure Accounts will be locked after a number of failed attempts Step up authentication - prompt for another one-time passcode if performing certain actions

Current progress I am the primary developer implementing multi-factor authentication to the IAM. Main work so far is a basic prototype of a user login system using multi-factor authentication and scratch codes Java Spring Boot framework (highly customisable and flexible) Entirely localised authentication (no need for external APIs for code verification or QR code generation) MFA using a soft token through an authenticator app Accounts can choose to enable or disable MFA This can then be implemented into the IAM codebase

Targets (not necessarily in this order) Implement prototype work into IAM codebase Solution needs to be flexible to allow: Expansion of supported factors of authentication (email, YubiKey, WebAuthn, etc.) Individual identity providers to customise their MFA setup (if they choose to enable MFA at all) Analyse solution for security flaws and carry out risk assessments Document and test Communicate with end users to gather thoughts and feedback Release in a few months

Questions? Facebook: Science and Technology Facilities Council Twitter:@STFC matters YouTube: Science and Technology Facilities Council