Multi-factor Authentication

Web-delivered platform

Working on authentication for a web-based application using client certificates (SSL) [posession factor] and passwords [knowledge factor] as requirements for authetication.

TOTP either need a dedicated device

There are (apparently) providers that do this, but if the user group is fairly closed using a CA is a viable solution...

Generate a CA .key and .crt

Put a password on the CA

]# openssl genrsa -des3 -out ca.key 4096
]# openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Generate a .key, .csr and sign the web-server's .crt

Having a password on the server's crt is a potential issue upon unattended reboot

]# openssl genrsa -out host.domain.key 4096
]# openssl req -new -key host.domain.key -out host.domain.csr
]# openssl x509 -req -days 365 -in host.domain.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out host.domain.crt

Generate a .key, .csr and sign the web-client's .crt

]# openssl genrsa -out alice.pem  1024
]# openssl req -new -key alice.pem -out alice.csr
]# openssl x509 -req -days 3650 -in alice.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out alice.out

To import the client certificate into Windows or Android clients the key and certificate must be in a .p12 file.

]# openssl pkcs12 -export -in alice.crt -inkey alice.key -out alice.p12

Remote Desktop access

SOCAT to open a TCP proxy for the users's current IPv4 internet address to an internal server or PC.

Originally used a code sent via TXT message to a pre-exchanged mobile, but due to the issue with SIM swapping this seems now to be considered 2 step rather than 2 factor autentication. 

I considered moving to a TOTP solution.



Two-factor authentication (2FA) should use 2 of the 3 muilti-factors or it is really just a 2 step authentication.

Even though traditionally TXT messages seem to fall into the something you have (AKA posession) factor category the consensus view now seems to be that this is just a knowledge factor.

Factors of Multi-factor authentication

  1. Knowledge Factor (password or PIN)
  2. Posession Factor (certificate, card reader)
  3. Inherent Factor (fingerprint, voice, face)

Article 97(1) of the Revised Directive on Payment Services (PSD2) has polularised MFA. Article 4(30) dictates the requirements IRO PSD2.