Does it make sense to split two factor authentication between identity providers
A common multi factor authentication solution will ask a user for a username+password and a one-time password.
In all documents I can find both factors are asked by the same identity provider. This can be the website itself or for example when it supports 'Login with Google' it can be Google who also asks for an OTP.
On our website users can authenticate with SAML against their corporate active directory.
We are considering adding a second factor like TOTP in our application. That way the first factor would be the SAML authentication and the second factor authentication would come from our website.
Somehow this feels weird to me. Is this a brilliant solution or a bad (insecure) plan?
Authentication with SAML uses password in the corporate directory. This password is one authentication factor. The TOTP uses key (password) that has nothing to do with password in the corporate directory. Thus these are two independent factors. For authentication an attacker will need to know both.
Both factors are based on the knowledge of some secret. Normally it is better to use factors of different types, e.g. one is based on knowing of something and one based on possessing of something (like token, card, smartphone) or being something (like fingerprint).
But in the reality TOTP does not require user to enter the key each time. Usually the key is generated randomly and stored in the device, e.g. in the token. This token generates codes based on the key and current time. To compromise this factor often it is easier to compromise the token (e.g. steal it) than to extract the key from it or to retrieve the key from the security system. Thus the security of TOTP is based effectively not on the knowledge of the key, but on the possession of the token.
Thus 2FA in your case is based on knowledge (of the password in corporate directory) and possession (of the TOTP hardware token).
This approach is reasonable and is more or less common. Of course the real strength of the security depends on many things:
- The entropy of the passwords in the corporate directory (if it is low, such passwords can be easier brute-forced)
- How is password management implemented in your company (e.g. how is allowed to reset passwords for users, in what cases)
- How is TOTP organized (e.g. who can get access to the TOTP key on the server side)
- How disciplined are users (if they keep their passwords secret or write them down and make then accessible to the others)
- How well user care of TOTP tokens (e.g. to they inform your company immediately as they notice that token is lost/stolen)
But the approach itself is reasonable.