2

I'm designing an authentication scheme for a new project. People will be able to authenticate via Google / Facebook / Microsoft etc. accounts using OpenID. All these providers do support two-factor authentication.

My goal is simple: when a user registers or logs in using an OpenID principal, I want to query the authentication service and tell if the user has enabled two factor authentication or not. If he did, and passed both steps, "Welcome user", else "Sorry buddy but this site is very secure and you must enable two-factor authentication".

Is that possible using current services? I have read Google docs and found nothing about it. Since the OpenID Connect does not support any "two-step authentication" attribute for the token, nor a "strength" attribute that may be exploited, I must rely on a specific profile API that might reveal such information. But I have found none yet at least in Google APIs.

usr-local-ΕΨΗΕΛΩΝ
  • 26,101
  • 30
  • 154
  • 305

1 Answers1

1

For the record: OpenID 2.0 and OpenID Connect are different protocols. Most providers are moving away from the earlier OpenID 2.0 standard towards OpenID Connect.

Facebook does not support OpenID 2.0 nor OpenID Connect but uses its own login protocol built on top of OAuth 2.0. Google has deprecated OpenID 2.0 support in favor of OpenID Connect. Microsoft supports OpenID 2.0 for LiveID but is moving towards OpenID Connect as well; their Azure AD accounts support OpenID Connect already.

OpenID Connect supports different methods of authentication and the client may request a specified value by using the acr claim in the set of requested claims as part of the authentication request, see: http://openid.net/specs/openid-connect-core-1_0.html#acrSemantics. The provider must return a acr claim value in the id_token that matches one of the requested values. The provider may also return a amr claim that is a JSON array of strings that are identifiers for authentication methods used in the authentication.

Unfortunately the providers that you mentioned do not support the acr concept yet, so the answer would be "no", although Microsoft Azure AD does return the amr claim in the id_token.

Hans Z.
  • 50,496
  • 12
  • 102
  • 115
  • 1
    Would be really nice with a source for the statement "the providers that you mentioned do not support the acr concept". – Anders Larsen May 17 '17 at 01:13