Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OAuth2 but require Multi-Factor Authentication (MFA)

I have an app with confidential PII (social security number, payroll information). I'd like to enable users to login with OAuth IDs (Google, Linked In) for convenience but require those accounts have multi-factor authentication enabled in the identity provider, i.e. fail the login through OAuth2 if the user hasn't enabled MFA in their underlying identity provider account. This allows me to avoid exposing my confidential information to a weak GMail password.

Is there any way to do this?

like image 746
Mike Kelly Avatar asked May 17 '15 20:05

Mike Kelly


People also ask

Does OAuth2 support MFA?

Developers can provide multi-factor authentication (mfa) in their login flow securely with SAASPASS.

Does OAuth bypass MFA?

Multi-factor authentication (MFA) is a great step to take, but there are always ways around preventive controls. One of the well-known MFA bypass techniques is the installation of malicious Azure/O365 OAuth apps.

Is 2 factor authentication the same as MFA?

So, two-factor authentication (2FA) requires users to present two types of authentication, while MFA requires users to present at least two, if not more types of authentication. This means that all 2FA is an MFA, but not all MFA is a 2FA.

Can OAuth2 be used for authentication?

The OAuth 2.0 specification defines a delegation protocol that is useful for conveying authorization decisions across a network of web-enabled applications and APIs. OAuth is used in a wide variety of applications, including providing mechanisms for user authentication.


2 Answers

Unfortunately, no.
In the case of Google and Linkedin, the authentication level is not linked to a specific scope. The Oauth response doesn't specify either if the user used an OTP token or not..

Even if the user is enrolled in MFA, the user can register the computer he's using as a trusted one and in this case, Google will never prompt him for an OTP. This behaviour may prevent many users to access your application.

like image 198
sk_ Avatar answered Oct 05 '22 23:10

sk_


Actually, I believe you could check on your own session / token to see if it was done through Google, Twitter, Facebook, etc and then require MFA / 2FA / OTP on the first use of that token. Does that make sense?

You could run your own TOTP microservice using Browser Authenticator which has the components you need to generate and verify a key and token in the browser and Node Authenticator which has the complementary server-side code.

Just add your own storage mechanism and an https call to microservice, update the session / token, and viola, you've added two-factor / multi-factor / one-time password authentication right on top of them.

like image 20
coolaj86 Avatar answered Oct 05 '22 23:10

coolaj86