Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, May 15 • 2:20pm - 3:00pm
Locally-managed identities

Sign up or log in to save this to your schedule and see who's attending!

https://etherpad.openstack.org/p/juno-keystone-locally-managed-identities

This session will include the following subject(s):

Keystone support for One Time Password ( OTP):

Keystone authetnication model can be easily extended to support OTP (One time password). OTP doesn't need to be mandatory so it won't break existing deployment. This can be used as a building block to support Multi factory authentication (MFA).

Few use cases which will benefit from OTP
* Users password update. If user has enabled OTP, then horizon can ask for OTP besides old password
* Any self service operation
* Initial login process in console




(Session proposed by Haneef Ali)

Password Policy and Lifecycle Management:

For users managed by Keystone, we need to have password policy and lifecycle management capability in order to satisfy the enterprise security requirements. The challenge is inconsistent user experience if we have a mixture of Keystone-managed and 3rd party managed users. But if we can make these features configurable (say per domain) we should be OK. Lets discuss what we can do in Juno and beyond.

1. Account lockout after x consecutive failed login.
2. Force change password on the next login.
3. Password expiry.
4. Password recovery. (Knowledge-based? i.e. security questions)
5. Password composition enforcement. (i.e. min and max length, must consist of alphnumeric, least 1 special-char, etc)
6. Password rotation

(Session proposed by Guang Yee)


Thursday May 15, 2014 2:20pm - 3:00pm
B306

Attendees (45)