Quoting Alex mysqlstudent@gmail.com:
Hi,
Unfortunately the best way to do multifactor authentication today
is to use OAUTH2, which isn't currently supported for own
installations. Or you can use client certs.If you want to use some kind of MFA with tokens, you end up having
to feed your token all the time. So the best option, for now, is
device passwords.Client certs appears to be a good solution.
What's the process for managing them with more than a hundred client
accounts?I believe the problem they are trying to solve is hacked accounts from compromised passwords. Does client certs solve that problem?
Client certs would solve that - but you'll need some management around
it (creation/deployment/renewal/device changes/etc). The easiest
method is to run MDM and PKI infrastructure, but with 100 clients I
kinda doubt that's in place and I wonder if they have the budget for it.
Another option, not open source, but if you engage Recorded Future,
you can get a report and notifications of password compromises, and
then take action on that info (ie, force affected user to change
password).
Alternatively, and free, don't use the email address as the username
for authenticaiton, use some other generic ID.
Rick