Frugal Two-factor Authentication System

Taferno Documentation

The documentation describing the usage of the Taferno System from a user and administrator perspective is available from the "Help" link on the login pages of the Taferno System. Once logged in, they continue to be accessible on the Navigation Bar.

Installation documentation, upgrade instructions, release notes etc. are available in the source tarball from Sourceforge.net.

Pictorial Overview

Taferno Overview Diagram

Overview of the Two-factor Authentication Process

On the USB flash drive is a file titled "Taferno-Login.html". Embedded in this file is a Cryptographic Message (CM). The CM is created by encrypting, using the Public Key of the Taferno System server, the Login ID of the user alongwith the start and end timestamps for the validity of the CM for that user.

Loading Taferno-Login.html from the USB flash drive in a web browser displays a web page that has the CM already pre-populated. When the user supplies Login ID, password and clicks the Submit button, the Taferno System server will decrypt the CM using its Secret/Private Key. If it succeeds, it extracts the Login ID from the CM, compares it to the Login ID supplied and if they match, proceeds with the verification of the password, validity of the CM etc. If all the authentication steps succeed, the database is updated with the required fields and the Taferno System firewall is notified to allow access from the specified IP Address. Now the user can proceed with the desired network operation/access (VPN, SSH, Web SSO, etc.).

Typically the firewall rules stay in effect for 10 minutes (default). If the desired network operation/access is not initiated within that time, the firewall settings would have expired. The user will have to re-authenticate.

In the case of Web SSO, closing the browser session will destroy the secure cookie (TafernoSSO) that the Taferno System created. Applications are free to create their own session cookies after validating the TafernoSSO cookie. In this case, logging out of the Taferno System will not log the user out of the application.

In the case of OpenVPN, the generated OTP (One Time Password) will need to be used with the OpenVPN client.

In the case of OpenVPN and SSH access, the IP address of the system running the OpenVPN client must match the "IP Address to be allowed:" field on the Taferno login page. It must be noted that web traffic may be proxied, but VPN and SSH traffic may not be. In such cases, the "IP Address to be allowed" field must be adjusted accordingly.