Re: [kitten] Fwd: I-D Action: draft-melnikov-scram-2fa-00.txt

Dave Cridland <dave@cridland.net> Thu, 19 March 2020 14:12 UTC

Return-Path: <dave@cridland.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7BB93A15BD for <kitten@ietfa.amsl.com>; Thu, 19 Mar 2020 07:12:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xb030JMZ3iBY for <kitten@ietfa.amsl.com>; Thu, 19 Mar 2020 07:12:41 -0700 (PDT)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C55393A15BB for <kitten@ietf.org>; Thu, 19 Mar 2020 07:12:40 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id v11so3170074wrm.9 for <kitten@ietf.org>; Thu, 19 Mar 2020 07:12:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=6XsJic+W1VYO6kg/s2z/Td1IMSV2EEFuJQAy5/pUqKA=; b=UzuHRwrx3lhfEwd/GoXXGp/ECwUz+qo40nEVqNHqIs7roB4Pghw/+6CN+PzIqw6R54 G2mPk4u9fy6WavdUh6j69/W1vxVQccX48ECwL3bEwRSOtJxY5RWdxdkGMo4KHgL0Gici mCHtLCl6mAGm1xB51Y2al+amrd+NTSxbghCSY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6XsJic+W1VYO6kg/s2z/Td1IMSV2EEFuJQAy5/pUqKA=; b=Qw8Yv4kRVatVxs5OBFT+11MgAKkdfsdUP/Y26yC1oOjKtVlIbW+BwPoWgA/4NCyHiV kLVlQV+hsoB1YxPjBUeRrRIMSZNP21D5pa0Ng9dRzGlrlMFgPkdE3IMKofrGuGrmZQZo UDZp19U23dqZ772JkyuwHKWhs4Qrba2I6Bnmado9knLAzpki2dW4cMv/MaOwynHfM2tP BG+iZR7ViVUtTJeTKFXb8/hX+V8SieHwn56AQSfp1Ws21aHQ2Q5Y4/sZXMB5u6jxTs5H iDyizwhnfnm8batPfZBRQnZsF5BqdB8z37ChiaAUVwLkzfRszbv2LaHS2nAOxz5qskpo mPwg==
X-Gm-Message-State: ANhLgQ1q5TYrpOPWvC3Rmc5tN4oO4Ea1h/YrmEU0R8Bk9muZ81CRK+Du Snv/3qpM39UEejjHPB8ZfntlxF5O1nO0JKNZ+CpE7YXDqD2RFA==
X-Google-Smtp-Source: =?utf-8?q?ADFU+vsKONO+Z1QW5NfIp1TbpQ7sJZjlPZGSIECzcDqW?= =?utf-8?q?xoEQn3+QrMjnvoGKqkPi9mgwH8kUKgbnS8ZPw4t4844pYXI=3D?=
X-Received: by 2002:adf:fe8d:: with SMTP id l13mr4498532wrr.248.1584627158648; Thu, 19 Mar 2020 07:12:38 -0700 (PDT)
MIME-Version: 1.0
References: <158462386052.13384.7911173297625270492@ietfa.amsl.com> <1330abb0-f0ae-3399-0486-4d7f7ff63267@isode.com>
In-Reply-To: <1330abb0-f0ae-3399-0486-4d7f7ff63267@isode.com>
From: Dave Cridland <dave@cridland.net>
Date: Thu, 19 Mar 2020 14:12:27 +0000
Message-ID: <CAKHUCzzQqRRuYK5C=BXPfws2Y4Ky+iCYUPJdVXaYFWj-Rzurug@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: kitten@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e4a11c05a135c206"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/fa_ygUc3klcZKLAFYJWvLbFfdeE>
Subject: Re: [kitten] Fwd: I-D Action: draft-melnikov-scram-2fa-00.txt
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2020 14:12:43 -0000

In XMPP-land, we did this by having an extended SASL profile that could ask
explicitly for TOTP (and password changes, and other things of that ilk).

https://xmpp.org/extensions/xep-0388.html (Extensible SASL Profile)
https://xmpp.org/extensions/xep-0400.html (TOTP 2FA for the above)

This detaches the choice of authentication mechanism from the choice of
second factor, as well as allowing other exciting options for all your
authentication needs.

I've personally implemented these in servers and clients, and they appear
to work well.

On Thu, 19 Mar 2020 at 13:26, Alexey Melnikov <alexey.melnikov@isode.com>
wrote:

> Hi all,
>
> As I had various conversations with people saying that SASL doesn't
> support 2 factor authentication, I posted a short draft which shows how to
> add 2 factor authentication to SCRAM. This is mostly a proof of concept and
> I am planning to work on another draft explaining how to do the same for
> SASL OAUTH.
>
> (If I remember correctly I also talked to Dave Cridland about doing a more
> generic extension to the SASL framework itself by allowing protocols to
> invoke multiple SASL mechanism in a sequence and achieving 2FA that way. I
> would be interested in developing this concept as well, but it would take
> longer than just extending some existing SASL mechanisms.)
>
> If people can have a look and provide feedback, that would be much
> appreciated.
> Best Regards,
> Alexey
> -------- Forwarded Message --------
> Subject: I-D Action: draft-melnikov-scram-2fa-00.txt
> Date: Thu, 19 Mar 2020 06:17:40 -0700
> From: internet-drafts@ietf.org
> Reply-To: internet-drafts@ietf.org
> To: i-d-announce@ietf.org
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>
>
> Title : Extensions to Salted Challenge Response (SCRAM) for 2 factor
> authentication
> Author : Alexey Melnikov
> Filename : draft-melnikov-scram-2fa-00.txt
> Pages : 5
> Date : 2020-03-19
>
> Abstract:
> This specification describes an extension to family of Simple
> Authentication and Security Layer (SASL; RFC 4422) authentication
> mechanisms called the Salted Challenge Response Authentication
> Mechanism (SCRAM), which provides support for 2 factor
> authentication.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-melnikov-scram-2fa/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-melnikov-scram-2fa-00
> https://datatracker.ietf.org/doc/html/draft-melnikov-scram-2fa-00
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> I-D-Announce mailing list
> I-D-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/i-d-announce
> Internet-Draft directories: http://www.ietf.org/shadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> _______________________________________________
> Kitten mailing list
> Kitten@ietf.org
> https://www.ietf.org/mailman/listinfo/kitten
>