Since Yubico make such a big deal of providing "two-factor authentication" (e.g. http://www.yubico.com/yubikey
), it seems strange that it's not implemented centrally.
If I understand this right: every application which wants to use two factor authentication - like this forum for example - has to (a) keep its own local database of passwords, or access some shared internal database; and (b) either prompt for the password separately, or split the entered code into password prefix + OTP suffix, and validate them both.
ISTM there would be value in providing this service centrally, i.e. be able to configure a password prefix for your token, which the cloud auth service checks on each auth, and being able to change it online. However, care would be required that the API keys are being used properly to protect the password in transit; and there would have to be some sort of password recovery process (perhaps linked to a master key, like yubirevoke)
The stripping and checking of password prefix could be requested by a flag at API call time, so that applications which want to check *only* the yubikey response can continue to do so.
Has this idea been considered and discounted?
Another option would be modifying pam_yubico to have a password prefix for each user (either in the yubikey_mappings file or in LDAP), which would at least support those applications which use PAM.
I have two particular applications in mind:
(1) RADIUS. I have freeradius up and running doing basic yubikey auth for VPN authorization. For 2-factor auth I'll have to configure it to split the User-Password into prefix + 44 char suffix (doable with regexp match), then check the prefix against a local file before using auth_pam. (Actually it's possible to require both auth_pam and auth_pap using configurable failover, but I think they both check the same User-Password attribute). This is rather fiddly though.
(2) Kerberos with Yubikey preauth:https://www.nordu.net/~linus/INSTALL-krb5-fast-otp.html
I haven't set this up yet. However I see it uses the yubico C client library rather than PAM, so I don't think there's a simple hook for adding password prefix checking. If the cloud API did the prefix checking then of course this would just work.