Is there an example that can be provided to set up Google Authenticator TOTP with OpenZiti?
Also to elaborate on the question - is there a data flow example that can be provided in the context of how an auth policy is triggered, who sends the MFA notification to the user/identity, and that entire process in the context of integration with OpenZiti?
Hi @lzt,
Using google authenticator with OpenZiti's TOTP is no different than using any other authenticator app. The NetFoundry support page has a good overview of doing this with the windows client: https://support.netfoundry.io/hc/en-us/articles/14839039623821-Enrolling-MFA-from-Ziti-Desktop-Edge-for-Windows
and with the Mac client: https://support.netfoundry.io/hc/en-us/articles/7546607063309-Enrolling-MFA-from-Ziti-Desktop-Edge-for-Mac
You can read more about this on the docs at MFA TOTP | OpenZiti
I'll see if I can sum up the flow/how the policy is triggered...
There are two types of TOTP policies. One the user enables, one the network operator enforces. A user can enable TOTP/MFA on their own and add extra security to their identities (it's per identity, if you have more than one identity, you'll have more than one totp to handle) without the administrator enforcing/requiring it. If an OpenZiti overlay operator chooses to ENFORCE MFA/TOTP via a posture check, then the user MUST enroll their identity with MFA/TOTP in order to be able to access the services specified by the policy requiring MFA/TOTP...
'how is the policy triggered': by the network operator making it required
'who' sends the MFA notification: the Ziti Desktop Edge will inform the user
I kept it short, if there's anything still unclear let me know and I'll try to clarify.
Thanks @TheLumberjack . I apologize for any ignorance on this topic - still learning and trying to understand all the components.
Following the breadcrumbs in the MFA TOTP OpenZiti link, to enforce TOTP/MFA on users, I need to create a Auth Policy with the Require TOTP option enabled and a selected JWT Signer. I think this is the part where I'm having trouble understanding - can we add ourselves as the JWT signer and if in this example we are, does OpenZiti provide a QR code that the user then scans with their phone (Authy, Google Authenticator, etc.) and then they set up enrollment that way or is it enforced in a more automated way? After enrollment I'm assuming the TOTP/MFA authentication is all self contained in the fabric and it doesn't need to reach out to any external services?
Yep we definitely aren't quite on the same wavelength yet! 
No worries.
You shouldn't need a JWT Signer to be configured to "just" enforce TOTP. Let me give you an example. We'll use ziti to front https://wttr.in. A nice website that shows you the weather... So we make an identity, enroll it into the ZDEW like I did and we'll see 0 services:
Then we'll make the configs, service, and service policies to make that a reality but we'll ALSO layer on the requirement that TOTP is needed. Notice I'm making an mfa posture check and referencing it in the dial policy:
ziti edge create config "weather-svc.host.v1" host.v1 '{"protocol":"tcp", "address":"wttr.in","port":443}'
ziti edge create config "weather-svc.intercept.v1" intercept.v1 '{"protocols":["tcp"],"addresses":["wttr.ziti"],"portRanges":[{"low":443, "high":443}]}'
ziti edge create service "weather-svc" --configs "weather-svc.intercept.v1,weather-svc.host.v1" -a "weather-svc"
ziti edge create posture-check mfa weather-svc-posture-check -a "weather-posture-checks"
ziti edge create service-policy weather-svc-dial Dial --service-roles "#weather-svc" --identity-roles "#weather-svc.dialers" --posture-check-roles "#weather-posture-checks"
ziti edge create service-policy weather-svc-bind Bind --service-roles "#weather-svc" --identity-roles "#weather-svc.binders"
We now have a service, yay:
But, when we look at that service in 'details' we see:
A posture check is failing. This identity has not "mfa'ed" yet AND this idenitty is not enrolled in TOTP yet!
So me, the user, toggles that toggle 'on', gets the 'secret'. Opens Google Authenticator, scans the QR code.... and completes the flow:
And now I no longer see the yellow triangle and I can curl to curl -sk https://wttr.ziti:443:
When I turn my client off/on (reboot whatever) I'll now see this in my system tray indicating i need to "MFA". (Once you MFA, you obviously don't see this anymore)
When I open my client I'll see the identities that are still locked (the top one is the one I need to unlock)
That help? that make more sense?
Really appreciate the walkthrough, it's starting to make a bit more sense. I will let it digest a bit and follow up if I have any more questions. Thanks!