Two factor authentication

kklosson

I had posted a query on implementation of MFA and there was an interesting response. The post disappeared - maybe support had to restore the forum from a backup or something. The responder mentioned that AwareSoft had a plugin for a third-party SMS service. I'll need a repeat on that please.

hpl123

Hi kklosson,
I think it was ACDC or Rocketrod that wrote about the SMS module. It´s the Clickatell SMS module and search the forums or ask support about more info. I have it myself (have the module but haven´t started to use it yet so can´t tell you how well it works) and it´s very straight forward and works exactly like email i.e. as an outgoing channel.

I am also interested in this whole thing so I can rewrite my post. I have used/worked with RSA secureid before and works great. I have thought about creating a custom security solution in my application where I use "printed security codes" i.e. random codes Aware IM creates which the user prints out and use as the 2nd authentication factor. I haven't thought about how this should be implemented and how Aware IM store/secure the codes etc. but that´s probably not a hard thing achieve.

Another (or 2 other) option is using email/SMS where Aware IM sends out an email/SMS with the 2nd authentification factor code and the SMS solution is possible the ideal but then it´s SMS rate cost + there have to be some form of verification of number etc. but these things are also probably not very hard to achieve.

Please keep up posted on how/what you do and if you get to a good/working solution. Thanks

kklosson

Many thanks. My needs for security are very high and I will be walking this road with diligence. I'll keep you posted.

hpl123

Great, thanks.

ACDC

kklosson,
I use the Aim clickatell plug-in to message users of events that take place in my App. You can use this to implement two factor authentication. I have not implemented this yet, but its on my to-do list and seems very easy. I am also keen to implement bi directional sms interaction i.e. respond to sms reply that was sent by My app - something like an sms question and then based on the reply start a process etc etc , but let me not digress!

When you sign up for an account with Clickatell they are very good at sending out updates on the latest trends and concepts of how sms can be used and how to implement the concept in your system

I recently received this link from them on two factor authentication which might interest you - also check the video out

https://www.clickatell.com/get-creative-with-sms/two-factor-authentication/?cid=208583

Please let me know how you progress

ACDC

by the way, as far as the cost of sms goes, the prices are very reasonable. Also I charge my customers for the service. If they wish to raise the level of security there is a cost to them. I handle this by way of a prepaid account.

Incidentally I did note in the Clickatell documentation somewhere that it would be possible to develop a front end in your app that lets your customer (user) handle their own prepaid account directly with Clickatell. So this would save you the admin of maintaining things

kklosson

Excellent stuff. I will query AwareSoft about the plugin.

hpl123

ACDC wrote
kklosson,
I use the Aim clickatell plug-in to message users of events that take place in my App. You can use this to implement two factor authentication. I have not implemented this yet, but its on my to-do list and seems very easy. I am also keen to implement bi directional sms interaction i.e. respond to sms reply that was sent by My app - something like an sms question and then based on the reply start a process etc etc , but let me not digress!

When you sign up for an account with Clickatell they are very good at sending out updates on the latest trends and concepts of how sms can be used and how to implement the concept in your system

I recently received this link from them on two factor authentication which might interest you - also check the video out

https://www.clickatell.com/get-creative-with-sms/two-factor-authentication/?cid=208583

Please let me know how you progress

Yeah, great stuff ACDC. I was wondering regarding the bi-directional sms you write about. I am currently investigating this exact thing for a potential project and I have talked some to Himanshu who has implemented this through Twilio. Twilio does unfortunately not cover all the countries I am interested in but Clicktell does so next on my todo regarding this potential project is actually investigating how I could get this working with Clickatell. Have you got any idea on how hard this implementation would be and if the existing Clicktell module can be built upon or reconfigured to also support bi-directional?

PS: Regarding SMS delivery etc., am I right when I assume it works as it should, reliably etc. since you only write you use it and not that you use it and it kinda works 🙂 ?

Thanks

ACDC

The current plugin sends SMS only, and yes it does work as it should.

With regards to SMS "responding" you will have to get support to enhance the current plug in to support the call back response.

Alternatively you could attempt to do this yourself using the call back url they offer and pointing the call back to your app to run a process on receipt of the call back notification. I THINK the call back option could work - but don't take my word for it.

Also if you wish to know more, spend some time on their developer network, there is a wealth of technical development info there. Also they are the largest and most successful SMS gateway out there, so they claim

hpl123

Thanks ACDC. I will look into this some more.

hpl123

Kklosson,

Thinking about security and I have used Incapsula for site protection and works great and I thought about looking into also using the service for app security.

http://www.incapsula.com

I will probably not look into this right now (maybe in the future) but thought this could be of interest to you.

jannes

I'm currently implementing two-factor authentication (2FA) in AwareIM for a back-office user. The step to send a verification code via SMS is already working using Bulkgate. Here's the process I'm using:

CREATE SMSRequest WITH SMSRequest.Request='{
  `application_id`: `' + SystemSettings.SMSApplicationID + '`,
  `application_token`: `' + SystemSettings.SMSKey + '`,
  `number`: `' + BackofficeUser.TelNrMobiel + '`,
  `text`: `Your verification code is: ' + BackofficeUser.Code2FA + '`,
  `sender_id`: `gText`,
  `sender_id_value`: `PolderSoft`,
  `unicode`: true,
  `country`: `NL`
}'

To generate a number : GENERATE_PWD(6,6,0,6,0)

Question:
What are the recommended steps to properly integrate this into AwareIM’s login process?

Specifically, I want to:
Let the user first log in with username and password
Then show an additional screen to enter the verification code
Only grant access after the correct code is entered
Are there any best practices or examples of how to implement this properly within AwareIM?
Should I use a temporary object, a custom login form, a session variable, or something else?

Any advice or example implementations would be greatly appreciated!

Thanks in advance,
Jannes

hpl123

jannes
I am no security or 2FA expert but I can tell you what I remember from how I set it up (was a while ago and not using it any longer). I had a intermediary VP that handled the SMS code entry i.e each user logged into their account and then the user got redirected to an empty VP that only had the SMS code form. The user typed in code and then if correct, the user was redirected to his main VP. I also had a (cumbersome but still) mechanism for added security where I as part of the login process changed accesslevel of the user so I had for example AdminLimited and AdminFull and AdminLimited only had access to the temporary SMS code BO and all else was blocked (via accesslevel settings and protection rules). When the correct code was added, the users accesslevel was changed to AdminFull. I also had various rules etc. here and there to change the access level back to AdminLimited after the user had logged out. Cumbersome and not perfect from a security standpoint by a long shot but still more secure than not using it. Today we have a lot more options etc. in Aware so there are probably better ways to do this now.