-
Notifications
You must be signed in to change notification settings - Fork 10
Multiple tokens support
Users want to be able to use multiple tokens. E.g. because as an RA I need a Yubikey, but also wants to login to another application that requires LoA 2 from his iPad. For the application on his iPad he wants to use a Tiqr token, because it is hard to use a Yubikey with an iPad.
A user must not be able to register multiple tokens of the same type. E.g. a user cannot register two SMS numbers. If a user already has a token of type X this token must first be revoked before a new token of type X can be registered.
The rationale for this:
- Prevent confusion: which of my Tiqr tokens should I select?
- Security: a user having many tokens leads to unused tokens which may have been lost without the user noticing this.
There is a configurable (through parameters.yml) maximum number tokens that a person can have. The default is two. Revoked tokens do not count towards the maximum, other tokens do.
When a user has multiple tokens that could provide the desired LoA during an authentication, a screen needs to be shown on the gateway that allows the user to select the desired token to use.
To facilitate these requirements, changes have been made to the gateway, middleware and self service applications. The paragraphs below describe these changes per application.
The self service has been made aware of the tokens already registered by the user. Tokens that are already registered are not available for another registration.
A number_of_tokens_per_identity configuration parameter was added as a config parameter. This parameter should be set with the maximum number of tokens a user can register.
When a user vetted multiple tokens this means the gateway must be able to present the user with a token selection screen. This screen is only shown if the user has more than one suitable tokens (having a high enough LOA). The user can choose it's favorite token by selecting it in a 'WAYF' like screen.
This screen is available on the following route: /choose-second-factor. No additional access restrictions apply except for the default ones (you need a valid AuthNRequest).
When a token is vetted by a RA, an additional check is performed to ensure the user does not register more tokens than allowed. This check was previously performed via the self service application. This additional check ensures compliance to the rule.
An additional config parameter was added to the parameters config file to set the maximum amount of allowed tokens per identity (number_of_tokens_per_identity). The default (in code) is set to one.