SeeDk
asked on
2FA solution for Apache Web Site?
Am looking for 2FA solution meeting these requirements:
1. 2 FA but with one-time authentication per device.
2. On the same device, prompted only once to present both sets of credentials.
3. That device is no longer prompted for all time.
Is there an Apache solution for this? I have looked at a few things like google auth but not sure it would work well with these requirements.
1. 2 FA but with one-time authentication per device.
2. On the same device, prompted only once to present both sets of credentials.
3. That device is no longer prompted for all time.
Is there an Apache solution for this? I have looked at a few things like google auth but not sure it would work well with these requirements.
Do you mean Apache as the project or Apache as the webservice of the Apache project.
The latter has little or nothing to do with authentication. (Yes it will handle a simple case like basic authentication, just using .htaccess / .htpasswd files, this will show as a pop-up in a browser).
Most of Authentication is implemented in webservices though. And shown as part of the content of a web service.
I think you are looking for something called OAuth (Open Authentication).
The Apache Project has OLTU: https://oltu.apache.org/ as an OAuth implementation.
From a web service one can use any OAuth (if agreed upon) to authenticate . That is why you can use Google/FB/Github based logins on other services.
As Server you can implement ANY authentication requirement you want, without bothering the webservice.
So your OAuth service can use 2FA etc.
BTW, 2FA can be a mine field. f.e. If you use SMS authentication, then web access from a smart-phone that will receive the SMS is NOT 2FA, the SMS could be high-jacked by a rogue app on the phone acting before the user can.
The latter has little or nothing to do with authentication. (Yes it will handle a simple case like basic authentication, just using .htaccess / .htpasswd files, this will show as a pop-up in a browser).
Most of Authentication is implemented in webservices though. And shown as part of the content of a web service.
I think you are looking for something called OAuth (Open Authentication).
The Apache Project has OLTU: https://oltu.apache.org/ as an OAuth implementation.
From a web service one can use any OAuth (if agreed upon) to authenticate . That is why you can use Google/FB/Github based logins on other services.
As Server you can implement ANY authentication requirement you want, without bothering the webservice.
So your OAuth service can use 2FA etc.
BTW, 2FA can be a mine field. f.e. If you use SMS authentication, then web access from a smart-phone that will receive the SMS is NOT 2FA, the SMS could be high-jacked by a rogue app on the phone acting before the user can.
ASKER
@Steve
Trying to protect access to the website.
No CMS used.
Currently it is using OpenSSL with certificate authentication to protect access.
@noci
Apache webserver.
Do these 2FA solutions automatically detect when the same device has been used so it won't prompt the user after the first authentication?
How much overhead is involved in creating and maintaining accounts for users?
Trying to protect access to the website.
No CMS used.
Currently it is using OpenSSL with certificate authentication to protect access.
@noci
Apache webserver.
Do these 2FA solutions automatically detect when the same device has been used so it won't prompt the user after the first authentication?
How much overhead is involved in creating and maintaining accounts for users?
OAuth uses redirect URL's and cookies to communicate.
OpenSSL means you use SSL authentication (client certificates) that is effectively just the communication between the browser & the server. (you can keep that).
Then you just need something that will handle another logon. That can be built into the web application if you like. Just don't be sattisfied with the username given by the certificate.
OpenOTP might be a possibility, it should be able to handle additional things like yubikey, security tokens or softcalculators in smartphones.
See also:
https://sourceforge.net/projects/openotp/
support is available from RCDevs
OpenSSL means you use SSL authentication (client certificates) that is effectively just the communication between the browser & the server. (you can keep that).
Then you just need something that will handle another logon. That can be built into the web application if you like. Just don't be sattisfied with the username given by the certificate.
OpenOTP might be a possibility, it should be able to handle additional things like yubikey, security tokens or softcalculators in smartphones.
See also:
https://sourceforge.net/projects/openotp/
support is available from RCDevs
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Apache is the web service, and typically is not responsible for this sort of authentication. This is usually part of the web application you're running. Do you use a CMS?