OpenMFA

Purpose

OpenMFA is a set of custom Linux Pluggable Authentication Modules (PAM) built to provide multi-factor authentication capability that does not interfere with common data transfer protocols (SCP, SFTP, rsync, etc.), provides a mechanism for specific accounts or IP ranges to be exempted, supports SSH public key authentication as a first factor, and is built to support opt-in or mandatory deployments designed for the transitioning of large user bases.

Overview

When logging in to a system via SSH with OpenMFA installed, users are required to successfully enter a correct password or provide an authorized public-key as the first factor of authentication. For the second factor of authentication, OpenMFA requires users own a device that may utilize one of the three following options to deliver a time-based, one-time use token code:

  • Soft Token -- smartphone-based application;
  • SMS Token -- SMS text message;
  • Hard Token -- key fob with LCD screen.

Service providers utilizing OpenMFA will benefit directly by reaching the expected industry standard for security, and via cost avoidance since no licenses will need to be purchased via a commercial provider, which may cost many thousands of dollars each year. All users will benefit from the added security inherent with multiple factors of authentication while minimally impacting ease-of-use and convenience they have come to expect with their institution's identity management resources.

System administrators and developers are able to deploy and fully control free and open technology tailored specifically for this purpose. Service providers can adopt OpenMFA to raise their own level of service and benefit from being viewed as technology leaders in this area and responsible stewards of public information resources.

Impact

OpenMFA is currently used on most of TACC's production HPC systems including Stampede2, Lonestar5, Maverick, Wrangler, Ranch, Corral, Rustler, and Hikari.

Links

https://github.com/TACC/OpenMFA

Funding Source

NSF Award 1134872: Enabling, Enhancing, and Extending Petascale Computing for Science and Engineering

DOI

https://zenodo.org/badge/latestdoi/70610740

Paper Reference

Forthcoming

W. Cyrus Proctor

HPC Research Associate, High Performance Computing
cproctor@tacc.utexas.edu | 512-475-9411