MFA/2 factor authentication for un/pw auth method

[ghakfoort]

It would be nice if 2 factor authentication can be used.

[malnick]

Hi @ghakfoort - thanks for the feature request. @PPacent can speak to this more thoroughly, but MFA capabilities will be available once we have OIDC auth support via the various OIDC providers. For example, you could leverage the MFA capabilities of Okta using their OIDC integration with Boundary.

[covetocove]

Hi @ghakfoort, as @malnick said we will address MFA by supporting authentication delegation to your identity provider (IDP) of choice. To do so, we'll first support an OIDC auth method in an upcoming release so that you can use your IDP to log into Boundary. Assuming your IDP supports MFA then you will be able to use that to log in to Boundary. We'll also look to add support for additional auth protocols in the future. Stay tuned!

[khionu]

I'd like to +1 integrated MFA, such as TOTP. My use case involves using Boundary to lock down an environment and provide a central means of authN/Z instead of dealing with end user pub keys and distributing other credentials that I generate. Additionally, my target audience is not a group that usually has the resources for identity providers. Username + Password + TOTP would be sufficient. Additionally, there is an existing Go library for OTP, so this could be mostly front-end work.

[ideologysec]

it would also be great to be able to enforce MFA as a requirement on the Boundary side, instead of just on the IdP side - not all IdPs are as granular as needed for gating access to various resources (ie, enforce MFA for production, not required for development - can't be done in GSuite currently).

[rileytg]

^ agreed with @ideologysec. My use case involves federated IdPs which I have little to no control over. I would like to enforce MFA inside Boundary (even if that's in addition to IdP). Leveraging Vault's TOTP would meet my needs.

[covetocove]

Responding to this post publicly as it's gotten a few likes recently. Boundary users can configure MFA via an OIDC auth method. Boundary's OIDC auth methods allow user authentication via a delegated Identity Provider, IDP, (such as Azure Active Directory or Okta). We recommend use of the OIDC auth method as MFA can be configured with your IDP. You can learn more about setting up MFA for Boundary via an OIDC provider in our learn tutorial here.

We will keep this post open to gauge community interest in adding native MFA support within Boundary to our username and password auth method to address scenarios where users don't want to authenticate via an external identity provider.

[the-maldridge]

@PPacent with the addition of LDAP auth I'm considering Boundary for a new use case where integrated MFA would be useful. I'm specifically looking at TOTP that could run fully on-prem, because the use case is to use Boundary as the final layer break glass to be able to fix our edge routing equipment (which is why the access needs to be local) and since I'd be doing this via LDAP, I can't use MFA on my IdP (since I may be using the boundary connection to recover that).

I could run Vault as an internet facing OIDC provider to get around this and implement the MFA on that side, but that means running yet another vault instance, and with very special config loaded into it to be internet facing.