Working on authentication for a web-based application using client certificates (SSL) [posession factor] and passwords [knowledge factor] as requirements for authetication.
TOTP either need a dedicated device
There are (apparently) providers that do this, but if the user group is fairly closed using a CA is a viable solution...
Generate a CA .key and .crt
Put a password on the CA
]# openssl genrsa -des3 -out ca.key 4096
]# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Generate a .key, .csr and sign the web-server's .crt
Having a password on the server's crt is a potential issue upon unattended reboot
]# openssl genrsa -out host.domain.key 4096
]# openssl req -new -key host.domain.key -out host.domain.csr
]# openssl x509 -req -days 365 -in host.domain.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out host.domain.crt
Generate a .key, .csr and sign the web-client's .crt
]# openssl genrsa -out alice.pem 1024
]# openssl req -new -key alice.pem -out alice.csr
]# openssl x509 -req -days 3650 -in alice.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out alice.out
To import the client certificate into Windows or Android clients the key and certificate must be in a .p12 file.
]# openssl pkcs12 -export -in alice.crt -inkey alice.key -out alice.p12
Remote Desktop access
SOCAT to open a TCP proxy for the users's current IPv4 internet address to an internal server or PC.
Originally used a code sent via TXT message to a pre-exchanged mobile, but due to the issue with SIM swapping this seems now to be considered 2 step rather than 2 factor autentication.
I considered moving to a TOTP solution.