Multi-factor

Authentication for the

IAM
Sam Glendenning
STFC
What is MFA?
• Providing an additional login factor to verify your identity
• One-time usage passcode or hyperlink

Why so important?
• Login credentials alone may not be enough for account security
• The IAM protects:
• Sensitive accounts
• Important online infrastructure
• Sensitive research data
Objectives for MFA in the
IAM
• Easily enabled on any new or existing IAM instantiation
• Customisable by an IAM admin based on wants and needs
• Safe and secure
• Adoptable by everyone
Workflow
• Individual users may decide whether or not they want MFA to be enabled
on their account
• However, an IAM administrator may enforce MFA on all of their user
accounts if they wish
• Once implemented, users will enable MFA in their account settings
• They can then control their MFA settings through their account settings
page
Multi-factor secret key
• MFA will initially be available through the use of an authenticator
app for mobile devices
• Examples include Google Authenticator, Microsoft Authenticator,
Authy, etc.
• These apps allow for a QR code containing an MFA secret (plus
additional account details) to be scanned and imported through the
device’s camera (alternatively, the user can manually enter this
information)
• This secret can then be used by the app to generate time-based
one-time passwords every 30 seconds
• The IAM also possesses this secret so both the user’s app and IAM
generate the same passwords at the same time
• Thus, this can be used for verification of the user
Recovery codes
• To prevent account lockout in the
event of the user losing access to
their mobile device, emergency
scratch codes are generated for the
user’s account
• These are single-use passwords
used in conjunction with the main
account password to restore access
• They are regenerated when used
and can be regenerated whenever
the user wishes
• Scratch codes can be viewed at any
time in the account settings
Information Security
• Multi-factor secrets and emergency scratch codes are stored in a secure
database
• All sensitive information is hashed and/or encrypted to a high standard
• Users have control over their multi-factor settings
• Can enable/disable MFA as they please (if their federation allows it)
• Can regenerate scratch codes at their leisure
• Accounts will be locked after a number of failed attempts
• Step up authentication - prompt for another one-time passcode if
performing certain actions
Current progress
I am the primary developer implementing multi-factor authentication to the IAM.

• Main work so far is a basic prototype of a user login system using multi-factor
authentication and scratch codes
• Java
• Spring Boot framework (highly customisable and flexible)
• Entirely localised authentication (no need for external APIs for code verification
or QR code generation)
• MFA using a soft token through an authenticator app
• Accounts can choose to enable or disable MFA

This can then be implemented into the IAM codebase

Targets (not necessarily in this
order)
• Implement prototype work into IAM codebase
• Solution needs to be flexible to allow:
○ Expansion of supported factors of authentication (email, YubiKey, WebAuthn,
etc.)
○ Individual identity providers to customise their MFA setup (if they choose to
enable MFA at all)
• Analyse solution for security flaws and carry out risk assessments
• Document and test
• Communicate with end users to gather thoughts and feedback
• Release in a few months
 Questions?

Facebook: Science and Twitter:@STFC_matters YouTube: Science and

Technology Facilities Council Technology Facilities Council