User-friendly screenlock with strong authentication
Submitted by birger
Link to original bug (#599034)
Description
I have a proposal for a screen lock function that would combine user friendlyness with strong authentication. Perhaps this isn't the correct component. If so, please reassign it.
I would like a screen lock that is centered around the mantra of 2 factor authentication. Something you have and something you know. Some kind of plugin architecture should exist so site admins can determine what is acceptable policy.
This may be doable in pam, but I think it should be configurable as part of a gnome desktop setup (Say Sabayon, everyone). Also, the plugins should be able to initiate unlocking on their own.
Of course site admins should be able to enforce use of either type of plugin alone or in combination. Not everyone may want to use both kinds of authentication.
Default 'something you know': The unix password
Optional 'something you know': pin code. Default 4 digits.
Default 'something you have': Nothing
Optional 'something you have':
- blueproximity (low-security as it doesn't properly authenticate the phone)
- mobile-otp (rsa-like token codes on your cell phone)
- rsa?
It should be possible to specify how often each plugin needs to authenticate. As an example: Something you have: Only after screen has been locked for X minutes Something you know: Always Perfect for RSA or mobile-otp solutions. You don't need to enter the token code every time the screen locks. Just your pin-code
Something you have: Always Something you know: Only after screen has been locked for X minutes Perfect for something like blueproximity (screen automagically unlocks when you get close). But just stealing your cellphone isn't enough to unlock the screen after X minutes.
A more advanced version of blueproximity would be nice. Something that actually verified a certificate on the cellphone or integrated with mobile-otp transmitting the token code over bluetooth.