Seems like lots of sites now log you in by sending a code instead of a PW. How will Aware handle this?

Jaymer

Even "big" sites like Paypal will text you a code now.
Seems like a new function is needed to convert a Guest session to a real user.
You'd have to be on an Aware screen as a Guest to enter a LoginName which exists in the SystemUsers group.
Send the SMS and then proceed to another form to enter the code.
At that point something needs to log you in YET THERE IS NO PASSWORD AVAILABLE, so a new function has to be available to Log you in and assign a VP so a FirstCommand can be executed.

Any ideas?

joben

OTP (whether you also use a password or not) is going to be crucial in the future in applications that are accessible to everyone over the internet. It is becoming harder to sell these applications when they lack MFA (or at least something better than just a password). So I hope there will be a built-in solution for this in the future.

We have a proof of concept that uses AwareIM standard password functionality combined with 6 digit OTP such as Google Authenticator or Authy.
It is still a bit buggy.
Node.js runs on the same server to handle the OTP, and we do use the guest VP for typing the OTP.
We have not tried it without a user password.
Could in theory be combined with the SMS functionality. But that is also less secure than a phone app.

From a security standpoint, I wonder if it is best practice to let the users reach the guest VP at all?
I would prefer if the password and OTP was typed at the login page, but it seems way harder to build it that way.
I mean, if you are at the guest VP, you are sort of authenticated, and perhaps able to try some malicious URL commands that wouldn't be possible at the standard login page? For instance, there was a bug way back where you could access, I think it was either the guest VP or the forgotten password function, then click "back" in the browser, and voila, you were logged in to one of the main VPs.

Just some spontaneous thoughts.

PointsWell

joben wrote
We have a proof of concept that uses AwareIM standard password functionality combined with 6 digit OTP such as Google Authenticator or Authy.

User Intra on here has a JAR that manages OTP. He made it available at the last user conference on an as is basis, with the offer of commercial support. I’m sure if you reached out to him he’d be willing to licence it to you.

kklosson

I've been considering trying to build 2FA by putting the user into a VP that opens a form for the code which is sent via email and stored in a session variable. Given the right code, the user is presented with a normal VP for their role. Again, I haven't tried to build it yet but it seems doable.

gernotlg

I've implemented my own MFA.

User logs in.. if their account is set up for MFA, or they're an admin, they get sent and EMail or SMS (depending on their settings), then a form asks for the code.. if they fail they get logged out, if they succeed, they go to their VP.

Probably has holes in it.. but then.. it's not a banking app.

Jaymer

--> "I've implemented my own MFA."
yes, this is easily doable once you log in.
but per the OP, I'm trying to simulate what many other sites do now and not require a PW to get in.

hpl123

Jaymer wrote
Even "big" sites like Paypal will text you a code now.
Seems like a new function is needed to convert a Guest session to a real user.
You'd have to be on an Aware screen as a Guest to enter a LoginName which exists in the SystemUsers group.
Send the SMS and then proceed to another form to enter the code.
At that point something needs to log you in YET THERE IS NO PASSWORD AVAILABLE, so a new function has to be available to Log you in and assign a VP so a FirstCommand can be executed.

Any ideas?

J

I have done this before and also implemented various types of MFA in Aware using SMS and email. For the problem with logging the user in, we need a way of doing this properly and programmatically. I used multiple access levels to achieve this and then I used the e url to log the user in programmatically.