<div dir="ltr">Hi All,<br><br>This proposal is to add 2-factor authentication to OpenBMC via time-based-one-time-password (TOTP) mechanism<br><br>Here is proposed model:<br><br>1. There will be a user level setting disabled by default for all users. Redfish interfaces will be implemented to enable/disable the 2nd factor for each user on BMC.<br>2. Secret key will be generated at BMC per user, and is shared to only that user<br>3. Each user whose TOTP authentication enabled, should register the TOTP generator app using the secret key shared by BMC.<br>4. Once TOTP authentication enabled, the user can create sessions by passing both password and the TOTP together<br><br>Here is open source google-authenticator pam library which supports TOTP based authentication<br><a href="https://github.com/google/google-authenticator-libpam">https://github.com/google/google-authenticator-libpam</a><br>Here is recipe for google-authenticator<br><a href="https://github.com/openbmc/openbmc/blob/master/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb">https://github.com/openbmc/openbmc/blob/master/meta-security/recipes-security/google-authenticator-libpam/google-authenticator-libpam_1.09.bb</a><br>Here is redfish schemas for "GoogleAuthenticator" or "MicrosoftAuthenticator"<br><a href="https://redfish.dmtf.org/schemas/v1/AccountService.v1_15_1.json">https://redfish.dmtf.org/schemas/v1/AccountService.v1_15_1.json</a><br><br>Here is redfish forum discussions, working with DMTF community for user-level TOTP based authenticator configuration<br><a href="https://redfishforum.com/thread/1061/multi-factor-authentication-on-accountservice">https://redfishforum.com/thread/1061/multi-factor-authentication-on-accountservice</a><br><br>Please share your views<br><div><br></div><div>Thanks & Regards</div><div>Raviteja </div></div>