Open Stack

Hi Greg,

On Fri, Dec 14, 2018, at 2:07 PM, Waines, Greg wrote:
> Keystone guys,
> 
> What is the current status of Keystone supporting Multi-Factor Authentication ?
> 
> https://specs.openstack.org/openstack/keystone-specs/specs/keystone/rocky/mfa-auth-receipt.html
> 
>   *   Does this work provide true MFA ?

It's a component of a proper MFA solution. We had already implemented TOTP as a possible auth method as well as the ability to use multiple auth methods. The MFA receipts work is to make it easier for clients to use MFA in a more natural way than what we had before.

>   *   Is this work still active ?

The API work for the receipts features is more or less completed. We still need proper documentation and an update to the API reference. We also need to work this feature into keystoneauth and horizon. Adrian Turjak has been leading this effort. I think he's still on vacation but I expect he'll pick it up when he's back.

> 
> Are there other solutions for MFA for OpenStack Keystone ?

Not in keystone, but keystone supports external authentication so if you have an external identity provider that supports MFA you can lean on that.

> 
> Greg.

Colleen