This session will include the following subject(s):
Keystone support for One Time Password ( OTP):
Keystone authetnication model can be easily extended to support OTP (One time password). OTP doesn't need to be mandatory so it won't break existing deployment. This can be used as a building block to support Multi factory authentication (MFA).
Few use cases which will benefit from OTP * Users password update. If user has enabled OTP, then horizon can ask for OTP besides old password * Any self service operation * Initial login process in console
(Session proposed by Haneef Ali)
Password Policy and Lifecycle Management:
For users managed by Keystone, we need to have password policy and lifecycle management capability in order to satisfy the enterprise security requirements. The challenge is inconsistent user experience if we have a mixture of Keystone-managed and 3rd party managed users. But if we can make these features configurable (say per domain) we should be OK. Lets discuss what we can do in Juno and beyond.
1. Account lockout after x consecutive failed login. 2. Force change password on the next login. 3. Password expiry. 4. Password recovery. (Knowledge-based? i.e. security questions) 5. Password composition enforcement. (i.e. min and max length, must consist of alphnumeric, least 1 special-char, etc) 6. Password rotation