<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<title></title>
</head>
<body style="font-family:Arial;font-size:14px">
<p>Quoting Alex <<a href="mailto:mysqlstudent@gmail.com">mysqlstudent@gmail.com</a>>:</p>
<blockquote style="border-left:2px solid blue;margin-left:2px;padding-left:12px;" type="cite">
<p>Hi,<br></p>
<blockquote style="border-left:2px solid blue;margin-left:2px;padding-left:12px;" type="cite">
<p>Unfortunately the best way to do multifactor authentication today is to use OAUTH2, which isn't currently supported for own installations. Or you can use client certs.<br>
<br>
If you want to use some kind of MFA with tokens, you end up having to feed your token all the time. So the best option, for now, is device passwords.</p>
</blockquote>
Client certs appears to be a good solution.<br>
<br>
What's the process for managing them with more than a hundred client accounts?<br>
<br>
I believe the problem they are trying to solve is hacked accounts from<br>
compromised passwords. Does client certs solve that problem?</blockquote>
<p>Client certs would solve that - but you'll need some management around it (creation/deployment/renewal/device changes/etc). The easiest method is to run MDM and PKI infrastructure, but with 100 clients I kinda doubt that's in place and I wonder if they have the budget for it.<br>
<br>
Another option, not open source, but if you engage Recorded Future, you can get a report and notifications of password compromises, and then take action on that info (ie, force affected user to change password).<br>
<br>
Alternatively, and free, don't use the email address as the username for authenticaiton, use some other generic ID.<br>
<br>
Rick</p>
</body>
</html>