Multi-factor authentication - passcode sent to email

andruszamojski
Minnow

Posts: 14

Multi-factor authentication - passcode sent to email Apr 15, 2024 13:14:08 GMT

Quote

Post by andruszamojski on Apr 15, 2024 13:14:08 GMT

Redfish spec defines the following:

When a multi-factor authentication type that requires tokens is enabled, services shall require the

Token property in the POST request to the SessionCollection resource for accounts that are not

configured to bypass multi-factor authentication. The service shall verify the provided token in addition

to verifying the username and password. If the Token property is required and not provided by the

client, but the client provided a valid UserName and Password combination, the service shall return the

HTTP 401 Unauthorized status code with the AuthenticationTokenRequired message from the Base

_Message Registry. In addition, if the multi-factor authentication type uses a service-generated onetime passcode, the service shall also return the OneTimePasscodeSent message from the Base Message Registry, and send a one-time passcode to the configured delivery address for that account.

I have the following questions about the one-time passcode:
1) does it mean that every time one-time passcode is successfully used to authenticate a user, then the code is sent to configured email or is it only about used emergency codes?
2) my understanding is that sending the passcode to configured email is not limited (by spec) to AD/LDAP configured users but users in general (any user)
3) since there is 'shall' word used, it' a 'must-have' to be compliant with spec

mraineri
Administrator

Posts: 1,132

Multi-factor authentication - passcode sent to email Apr 15, 2024 14:05:43 GMT

Quote

Post by mraineri on Apr 15, 2024 14:05:43 GMT

1) No, this only applies when a user supplies only "UserName" and "Password", and the MFA configuration is to generate onetime tokens in response to the login attempt. This is like when you log into your bank's website and it prompts you for a token they just sent to you via text or email.

2) Correct; you can have this enabled in a ManagerAccount resource and email the user without having any LDAP/AD configurations.

3) Yes, but it's conditional on whether it's configured with the lead-in "When a multi-factor authentication type that requires tokens is enabled". It's not required to support the capability. The same is true with the email usage with the lead-in "if the multi-factor authentication type uses a service-generated onetime passcode". This is also an optional capability, but the behavior is mandatory if you support it and the user has it enabled.

andruszamojski
Minnow

Posts: 14

Multi-factor authentication - passcode sent to email Apr 16, 2024 10:45:50 GMT

Quote

Post by andruszamojski on Apr 16, 2024 10:45:50 GMT

Ok, I misinterpreted that 2FA tokens which have grace period so are not sent every time, just when grace period expired.
The code in this case is not provided to an mail, but must be generated using an app/mobile phone where the user has registered and configured 2FA login possibility.

Last Edit: Apr 16, 2024 10:48:37 GMT by andruszamojski

mraineri
Administrator

Posts: 1,132

Multi-factor authentication - passcode sent to email Apr 16, 2024 12:51:41 GMT

Quote

Post by mraineri on Apr 16, 2024 12:51:41 GMT

In that case, you'll just return "AuthenticationTokenRequired" to tell the client they need to supply the extra token.

One thing to note is in the service-generated onetime passcode, it'll return both the "AuthenticationTokenRequired" and "OneTimePasscodeSent"; the first message is always used to tell the client to provide the "Token" property, and the second message here is specific to telling the client to check their email for the token.