Closed jippi closed 14 years ago
The yubikey is only an additional factor for multifactor authentication. You can see the PAPE specs for more information on that: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0.html#auth_policies
In its current state, this is just a proof of concept implementation.
Okay.
How big of a change would it be to check if the current_user.has_yubikey? and don't allow logins without the yubikey appended to the password? :) That would more or less fix the issue.. it's false security if you can use both your normal password and the password+yubikey :)
Like I said: Currenty it's supposed to be an additional factor for multifactor authentication (if the relying party) requires that - so it isn't neccessarily false security. We'd have to add a flag to the user profile so that the user can choose to always require password+yubikey.
That would be cool! :)
Go ahead if you like to implement it :)
I may give it a try, but I only have 2 months of experience with ruby / rails :)
Hey guys,
I already wanted to implement that feature myself. Maybe I will do it over the weekend ;-)
Greetz
Nice, thank you!
Awsome!
Done in 2c40481811166e346f7f331a736e69f3abbc24a3
Niiice!
Thanks 100^1000
great, thank you :)
Hi,
I have just got my yubikey, and I'm testing it with masquerade, it got asociated just fine, however, even if I attach a yubikey to my account, I'm still able to login with just my normal password...
so, I can login both with just my password, or my password+yubikey
I think it would make sense only to be able to login with password+yubikey once an account has been associated with such.