Hi Team,
We are currently using ConfD version 6.3 with password-based authentication enabled. We are exploring the possibility of implementing multi-factor authentication (MFA) by adding public key-based authentication as a second factor.
Could you please confirm whether ConfD 6.3 supports multiple authentication methods simultaneously, specifically combining password and public key authentication to achieve MFA?
Best regards,
Vinuta M B
Can anyone please share some update on this?
Hi,
I’m not quite sure if you mean to do MFA sequentially with password or by adding a challenge to a password, thus creating MFA as the ‘only’ auth method. Current releases support both in the sense that you can define the authOrder:
/confdConfig/aaa/authOrder (string)
By default the AAA system will try to authenticate a user in the following order. (1)
localAuthentication i.e. the user is found inside /aaa/authentication/users. (2) pam - i.e PAM
authentication - if enabled - is tried. (3) externalAuthentication i.e. an external program is invoked
to authenticate the user.
The default is thus:
'localAuthentication pam externalAuthentication'
To change the order - change this string. For example in order to always try pam authentication before
local auth set it to: 'pam localAuthentication'
And then also straight-up MFA as in the UG:
18.4.6. External multi factor authentication
You can also consider the option of using PAM with a service such as Keycloak that could do the desired function.
Of course, these suggestions are based on currently supported ConfD capabilities and I do not know the state of support in 6.3.
Best,
Scott