MFA - TOTP plugin

Cantor, Scott cantor.2 at
Mon Dec 9 11:32:23 EST 2019

On 12/9/19, 7:43 AM, "users on behalf of Joseph Fischetti" <users-bounces at on behalf of Joseph.Fischetti at> wrote:

> There doesn't seem to be much discussion on here about such support; The go-to really appears to be Duo.  The main 
> differences between what I've implemented and Duo is that here there's no reliance on an outside connection for
> validating the OTP.  Once you get passed the setup, there's also 0 cost.  

Yes, but Duo has the entire enrollment component, token management, revocation, and of course the form factors that people actually like (they hate codes). So that's the "cost" inherent in any other solution, it's not free.

> OTP seeds are stored encrypted in the attribute store of your choosing (accessible via the attribute resolver).  Flow
> control is done via the MFA flow.  The IdP does nothing to maintain the seed storage. i.e. token enrollment is done out
> of band.   There's more in the readme included in the repo. [1]

That's kind of the problem, it's not a complete solution, but using the resolver to access the data is a strong play for us as a project and I'm more than happy to evaluate the code for inclusion in a release (possibly the next, just depends how much work it might be, we're close to beta).

I don't foresee significant adoption without those other pieces, but I'm also prepared to be wrong, and it isn't likely much for us to maintain because of that omission. It's a start, at least.

It appears to be Apache-licensed, so technically that frees it up for possible inclusion, but it's only polite to ask.

-- Scott

More information about the users mailing list