aakso
commented
2 years ago Hmm, we do have basic building blocks for so called authorisers that could be used to make a one that would assert that more than one authentication mechanisms have been used.
You can already define multiple and also log on to them when requesting a certificate. Currently the supported authentication mechanisms are authfile, authldap and authoidc.
I'm happy to accept PRs for adding more auth mechanisms. The complexity is that there needs to be a place to store the OTP seeds (for TOTP/HOTP). One possibility would be to introduce an authexternal mechanism that just calls some script/program to do the actual validation and to provide metadata.
Meanwhile in your use-case you could look into authoidc (OpenID Connect) to fully outsource the authentication part. I've tested that feature against Google and Microsoft's OIDC provider in Active Directory. Of course it's up to the OIDC provider to require MFA.
HI,
Any chance to get MFA/OTP support?
Regards, Bruno Costa