ESUP-OTP: an open source multi-factor authentication provider for CAS (Lightning talk at Open Apereo 2021 ) [23 février 2022]

 Description

Out of the box, Apereo CAS supports several multifactor authentication (MFA) providers : Duo Security, Twilio Authy, Acceptto, YubiKey, WiKID, FIDO, Swivel Secure, Google Authenticator, ... Most of them are not open-source, are expensive (fee per user and per month) and are not self-hosted.

The ESUP-Portail consortium proposes an alternative named ESUP-OTP which implements several methods for generating single-use passwords: SMS, Time-based One-Time Password (TOTP), random code list, mobile push notifications and use of NFC tag. ESUP-OTP is fully open source (MIT License) and free.

This project consists of 4 applications:
> esup-otp-api: a restful api to generate, send and verify one-time codes.
> esup-otp-manager: the web user interface to manage esup-otp-api. It allows end-users to edit their authentication preferences and admins to configure the platform, assist users having lost/forgotten their mobile phone and provide them an emergency access code, etc.
> esup-otp-cas: the module to be embedded in CAS to make esup-OTP MFA work with CAS.
> esup-otp-push: a mobile application used as an additional authentication factor using push notifications. This application is known as Esup-Auth on Google Play Store and will soon be available on the AppStore for iOS devices. All the source code can be found on the Esup-Portail's Github repository.

In this Lightning Talk, we will try to convince you that ESUP-OTP is a(n) (in)credible open source alternative for doing MFA with the Apereo CAS project!

Mots clés : 2021 21 android apereo application authentication cas conference esup-otp ios lightning lightning talk mfa mobile multi-factor oa21 open open apereo otp presentation talk