OpenID Connect authentication in 0.9.14 and 2FA

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenID Connect authentication in 0.9.14 and 2FA

Suncatcher16
New release brought us the new cool authentication protocol OpenID Connect,
but also new question I am going to touch.
What is the most efficient (not redundant) strategy of authentication now?
OpenID Connect allows connecting with Google/Facebook/Live.com accounts,
which, in turn provide 2FA ability. So is there any sense in combining Duo +
OpenID authentication methods? Isn't double 2FA redundant here?
The same question can be asked about DB-authentication: can we get rid of it
in favor of OpenID?
What is the most efficient scheme:
1. OpenID
2. OpenID + DB
3. OpenID + Duo
4. OpenID + Duo + DB

Some elements seem redundant to me, no?

We are not speaking here about the environments where OpenID is inaccessible
(corporate stuff) but considering the case of pure security where all
authentication methods are available.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Reply | Threaded
Open this post in threaded view
|

Re: OpenID Connect authentication in 0.9.14 and 2FA

vnick
On Sun, May 13, 2018 at 7:35 AM, Suncatcher16 <[hidden email]> wrote:
New release brought us the new cool authentication protocol OpenID Connect,
but also new question I am going to touch.
What is the most efficient (not redundant) strategy of authentication now?

This depends on your environment, and what works in it.  The point is that there are options, so if you like or already use OpenID for authentication, you have that option with Guacamole.
 
OpenID Connect allows connecting with Google/Facebook/Live.com accounts,
which, in turn provide 2FA ability. So is there any sense in combining Duo +
OpenID authentication methods? Isn't double 2FA redundant here?

It certainly could be redundant, but it doesn't have to be.  If your OpenID provider implements 2FA/MFA, then it probably does not make any sense to have Duo enabled.  If your OpenID provider does not implement 2FA/MFA, then you may still want Duo.  You have choices.
 
The same question can be asked about DB-authentication: can we get rid of it
in favor of OpenID?
What is the most efficient scheme:
1. OpenID
2. OpenID + DB
3. OpenID + Duo
4. OpenID + Duo + DB

Again, it depends on your configuration.  One thing that is important to note is that the OpenID and Duo modules do *not* provide any access to connections, so if you want connections in Guacamole (kind of useless without them), you'll have to layer in a module that supports those.  LDAP is an option and works well, but the JDBC module is probably the most robust for managing connections.

"Most efficient" is very subjective and specific to each use case, site, network, etc.  Choose the one that is best for you, that best secures your installation, and that offers your users the best experience.
 

Some elements seem redundant to me, no?

Maybe.  It depends.  It's up to you.
 

We are not speaking here about the environments where OpenID is inaccessible
(corporate stuff) but considering the case of pure security where all
authentication methods are available.


Even in corporate environments OpenID may be either accessible (for public OpenID providers, like Google, Yahoo!, etc.) or implemented within the network via an Intranet server of some sort, as there are plenty of products available to provide OpenID within a private network.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: OpenID Connect authentication in 0.9.14 and 2FA

Suncatcher16
Thanks for extensive answer.
That is what I was going to hear, if both Duo and OpenConnect are
2FA-enabled, one of them can be certainly omitted.



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/