Custom seeds for TOTP

[kkimmo]

Hello.

I just installed Neos-sdi and had some challenges: after configuring and enrolling one user (TOTP), when trying to authenticate, MFA did not work because of the "server not operational" error:
"Exception details:
Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationException: The server is not operational.
at Neos.IdentityServer.MultiFactor.AuthenticationProvider.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)
"
I'm using AD as a storage and data access account seemed to work because I got data to msDS-clountext attributes. I then added domain\ to the data access account and magically it started to work. If I encounter that problem again, what would be the best way to figure out the problem, is there any options to get more logging etc?

Then the real question... We currently have openvpn and it has MFA with custom plugin: plugin stores TOTP seeds into AD attribute for each user.
So we have TOTP authenticator rolled to the users and it would be nice to use the same TOTP seed with Neos MFA.

Our TOTP seeds are simple strings such as "neos-sdi" (base32 encoded and encrypted). I'm thinking of converting our existing seeds so that Neos-sdi could use those: any tips, how one could do that, what is the format of the seed stored by neos to msDS-cloudExtensionattribute10 (mg://xxxx). Is that seed encrypted by General Security Properties->Passphrase?

If we are not able to use existing seeds, what would be the best way to enroll QR-codes to end users? Is there any way to let users to see their QR code with some plain PIN-code or password protected page (we want to allow only TOTP as MFA method)?

Cheers,
Kimmo

[redhook62]

Hi @kkimmo

If you have correctly set up the data access account (read/write) there is no reason for it not to work anymore. Indeed, this account must be prefixed with its domain domain\accesuser, because the component is mult-forest/multi-domains.

If you want to unify the totp code with your openvpn (does this make sense for security?) you have 2 options.

• Modify the openvpn side implementation, if you have the source code. if this is your choice look in the source file RNG Key Manager the RNGKeyManagerV2 class and especially in RNG Encryption the RNGEncryption class.

• Implement your own TOTP provider with the openvpn implementation and thus replace the default TOTP provider.

You can take inspiration from the examples provided.

1. TOTP Provider: TOTP Provider Sample

2. Quiz Provider: Quiz Provider Sample

3. To replace the encoding of the RNG key you can also look at this example: Cesar Key Manager

The RNG key is a random number between 128 and 512 bits, the username is injected as a checksum into the key to prevent copying from one user to another.
An XOR operation is applied (using the configuration passphrase). the key is stored in BASE64 with rng:// as a prefix.
for using, after decryption the key is extracted, the standard operations for totp are carried out (Base32, Time, etc...)

[kkimmo]

Tried to decode one seed but did not have luck (and proper skills).

I checked the secret key from MMC snapin for one test user and assume it's base32 encoded in the snap in so it can be more easily copy-pasted or typed into authenticator. If I try to base32 decode that secret key, I do not get anything containing random number/injected username, just not readable characters.
Same with the base64 encoded rng://, base64 decoding and after that, XORin with configuration password does not get me anything readable.
Maybe I have misunderstood how the key is stored and encrypted?

Another thing: is there any documentation about the Enrollment Wizard? One reason for the unifying codes is that we already have enrollment process to openvpn codes/qr-code but is not the nicest one. Using Neos Enrollment Wizard could be better option but did not find any examples or info about it.

[redhook62]

Hi,

The simplest in your case is to operate the MFA in the same way as your VPN system.
For this, the best solution is to develop a component exploiting this interface: ISecretKeyManagerActivator as in the example :
Caesar Key Manager

If you don't have the capacity to develop it yourself or with your teams. please describe to us precisely how the keys are managed in your VPN system, then we can see if we can provide you with an implementation. to transmit any confidential information please go through the email address present in the source codes.