MFA - TOTP plugin

Joseph Fischetti Joseph.Fischetti at
Mon Dec 9 08:42:32 EST 2019

Good morning,

I've done some work developing an MFA plugin (which I forked off from what mostly seemed to be a POC) to support OTP.  Thanks Korteke for laying the groundwork.

There doesn't seem to be much discussion on here about such support; The go-to really appears to be Duo.  The main differences between what I've implemented and Duo is that here there's no reliance on an outside connection for validating the OTP.  Once you get passed the setup, there's also 0 cost.  

OTP seeds are stored encrypted in the attribute store of your choosing (accessible via the attribute resolver).  Flow control is done via the MFA flow.  The IdP does nothing to maintain the seed storage. i.e. token enrollment is done out of band.   There's more in the readme included in the repo. [1]

Any input is appreciated (both here and offline).  



Joe Fischetti
Linux System Administrator
Marist College

E-mail: joseph.fischetti at

More information about the users mailing list