2-factor authentication

Hello,

As more and more web services and applications are now supporting 2-factor authentication (MFA) via one-time passwords (OTP) and/or hardware tokens such as Yubikeys, security conscious users are asking about support for this in Request Tracker.

Is this a planned feature for RT core? Is an extension available adding this functionality?

I’m also interested to learn about how others have integrated their 2FA solution with RT.

Thanks!

We use multi factor authentication with RT, but it is provided by mod_shib in Apache to do Shibboleth single sign on with a shim on our IdP that links to Cisco Duo. Seems to work OK - been in use for several years now. You might want to see what options you have with web server authentication already.

Hello

A little while ago, for a former employer, I implemented MFA within RT without calling an external service, so that there were no outside dependencies or contracts involved. This worked by having RT keep a secret token for each operator, for time-based one-time passwords (TOTP).

To enable MFA, the operator would go to the RT preferences page where identity and password settings live. An extra section was added to that page, allowing the operator to scan a QR code into their mobile device’s TOTP compatible authenticator app (such as Google Authenticator). This loaded the secret token into their mobile app.

With MFA enabled, an operator would log in with their usual account details (local RT account, LDAP / Active Directory, whatever you already had working). They would then be prompted to enter a one-time passcode before being able to proceed further.

I did also implement YubiKey support at the time, which worked by enrolling the key in the same settings page. YubiKey support did require a callout to the external Yubico API servers though.

That was all on RT 4.2.16, and was closed-source. If anyone has an interest in MFA implemented in this way, I could have a go at building something similar in RT 5.x, as free software.