Something you have. Something you are. Something You Know. Pick Two. This is the conventional wisdom for the basis of secure authentication.
This topic came up a few times in the lead up to the Open Stack summit in San Diego. The question was how to enforce multifactor authentication with Keystone tokens. Here is what we came up with:
Each token will contain a set of authentication mechanisms used to produce it. If you start with a user-id and password, then that set would contain
Now you use that token to get another token, but add in an additional level of authentication, say a biometric like a fingerprint scan. Now the set contains:
For any service than needs to consume this token, it will then have a policy rule that enforce:
Ignore the strict format of the policy, this just gives a sense of the concept.
This mechanism is only essential if you want Keystone to play in your two-factor authentication scheme. If you are currently protecting web services with a two factor authentication mechanism, you can treat Keystone like any other service, and have it protected by your existing authentication — once the REMOTE_USER mechanism is committed, which will be very shortly.
EDIT: Link to the blueprint