Multi-factor Authentication

Web-delivered platform

Working on authentication for a web-based application using client certificates (SSL) [posession factor] and passwords [knowledge factor] as requirements for authetication.

TOTP either need a dedicated device

There are (apparently) providers that do this, but if the user group is fairly closed using a CA is a viable solution...

Generate a CA .key and .crt

Put a password on the CA

]# openssl genrsa -des3 -out ca.key 4096
]# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Generate a .key, .csr and sign the web-server's .crt

Having a password on the server's crt is a potential issue upon unattended reboot

]# openssl genrsa -out host.domain.key 4096
]# openssl req -new -key host.domain.key -out host.domain.csr
]# openssl x509 -req -days 365 -in host.domain.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out host.domain.crt

Generate a .key, .csr and sign the web-client's .crt

]# openssl genrsa -out alice.pem  1024
]# openssl req -new -key alice.pem -out alice.csr
]# openssl x509 -req -days 3650 -in alice.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out alice.out

To import the client certificate into Windows or Android clients the key and certificate must be in a .p12 file.

]# openssl pkcs12 -export -in alice.crt -inkey alice.key -out alice.p12

Remote Desktop access

SOCAT to open a TCP proxy for the users's current IPv4 internet address to an internal server or PC.

Originally used a code sent via TXT message to a pre-exchanged mobile, but due to the issue with SIM swapping this seems now to be considered 2 step rather than 2 factor autentication. 

I considered moving to a TOTP solution.