Two-Factor Authentication with OTP for portal user logins
Currently LemonLDAP-NG (as of 1.9.2) does not support Two-Factor Authentication using combination of username + password + One Time Password/PIN (OTP).
It'd good if lemonldap-ng supported for example SMS-OTP (One Time Password/PIN delivered to mobile phone using SMS) like this:
- User goes to lemonldap-ng login page and gets the usual prompt for username/password.
- After successfull user/pass authentication user gets another dialog/form on the login web page with "OTP" prompt (challenge), to enter valid one-time-password/pin.
- If using SMS-OTP, user will now also get SMS message delivered with the OTP in it into his mobile phone.
- User enters the OTP (response) from the SMS to the OTP-form on the lemonldap-ng login page.
- When user entered correct OTP, login is successful and lemonldap session is started.
This can be implemented in the following way:
- Add Challenge-Response support to lemonldap-ng AuthRadius plugin. Challenge-Response is a generic/standard method of implementing two-factor or multi-factor authentication with Radius. Challenge-Response also supports other types of OTP aswell, not just SMS-OTP.
- Add Two-Factor / Multi-Factor support to lemonldap-ng login page, so it can display multi-part login forms, based on Challenge-Response results.
Basicly during the first phase of authentication (username/password entered) the radius server will verify the username/password, and normally when it would respond with "Access Accept" for successful authentication, but now in the case of OTP, it'll reply with "Access Challenge" instead, which means LemonLDAP-NG should request additional information from the user. Radius server also includes the actual text that should be given to the user (for example "Enter SMS-OTP"). Also the radius-server, or the configured radius backend, will generate the actual one-time-password/pin and send it to the user using SMS, or some other method.
In the second phase of the authentication LemonLDAP-NG will send the OTP to the radius server, and when radius server verifies that the OTP is correct, the user authentication is successful.
There are multiple Radius-servers/products with support for Two-Factor Authentication with One Time Passwords/PINs. Freeradius also supports this.