If you have questions or if you want to share your opinion about Aware IM post your message on this forum
#53993 by joben
Fri May 29, 2020 9:58 am
We have reached a point where it is difficult to advertise or sell our application due to lack of MFA (Multi-Factor Authentication), which is often a requirement from the customers/end users. Especially with the strict regulations in the EU such as GDPR, the data needs to be protected adequately. We built a Trusted Device solution in AwareIM that unfortunately doesn’t work good enough to be used in production. We need to know if MFA can be implemented in AwareIM in a secure and hassle-free way. Preferably a Trusted Device solution.

Our definition of Trusted Device:
Alice logs in with her username and password for the first time on her new computer.
An email is sent to Alice with a verification link.
Alice clicks the link, and she is now logged in, and the device is considered trusted.
The next time Alice logs in from this computer, email verification is skipped because her device is considered trusted.

Our definition of MFA with mobile app:
Bob logs in with his username and password.
Bob is prompted with a token field.
Bob starts his MFA app (Authy, Google Authenticator or similar)
Bob enters the generated token (or preferably accepts a push message sent to the phone as it is more simple) and is successfully logged in.

Things we don’t consider good ways of solving this problem:
  • Using authentication with Google or Facebook accounts or similar rather than built-in AwareIM user database.
  • IP address or user agent fingerprinting is not a unique identifier when identifying a Trusted Device

We would like to co-operate with forum members who think MFA is important. We hope that a proof of concept can be produced that can be shared with the community. Please get in touch with me or forum member Rem.
#53994 by hpl123
Fri May 29, 2020 8:53 pm
Joben,
I agree, multi factor authentification options in Aware would be valuable. I have a hacked up two factor login solution using SMS for one of my apps and is OK but would not pass security standards/reviews etc. but could possibly be something to at least think about (i.e if SMS could be used in some way for you).

Regarding the identification of a device you do now for your trusted device solution. How do you capture/identify a device if you can share some details?
#54017 by joben
Wed Jun 03, 2020 1:24 pm
aware_support wrote:How about MFA provided by DUO (http://www.duo.com) ?

We have a plugin that supports it. Maybe it will work for you?

Where can I learn more about this?

hpl123 wrote:Regarding the identification of a device you do now for your trusted device solution. How do you capture/identify a device if you can share some details?


It is an overstatement to call it a trusted device solution since we were never able to identify trusted devices, but at least we managed to make an extra login check, like you type your username and password as usual, then you have to click a link that gets sent to your email to actually get logged in. It is based on a secret token. It is not very user-friendly and not exactly ground-breaking. But it was a foundation for the trusted device solution that we never were able to build.
#54033 by joben
Fri Jun 05, 2020 12:42 pm
aware_support wrote:You can learn about DUO on their web site:
http://www.duo.com


We are Aware ( :D ) of Duo and we use it with some other products where implementation is simple.

However, we don't know how it's best implemented with AwareIM?
If there is a plugin available, where can we learn more about this?
#54034 by aware_support
Fri Jun 05, 2020 1:27 pm
From a user point of view he logs in as usual entering his user name and password. If credentials are incorrect then the error message is displayed straight away. However, if they are correct the second part of authentication (provided by Duo) kicks in. The method depends on what you setup in DUO - it can be, for example, a phone call, so you get the phone call and after confirmation the system logs you in Aware IM and displays the starting visual perspective.
#54040 by RLJB
Sat Jun 06, 2020 11:05 pm
Sorry for the probably dumb question, but why don't you just configure MFA In aware?

Login sends SMS to user with random code and stores it on reg user with an expiry time then throws to a VP with an input box. User enters codes if wrong or expired kicks them out. If ok then continues to normal VP.

Can put a 7 day expiry on it if you don't want to annoy users.
#54041 by hpl123
Sun Jun 07, 2020 7:34 am
RLJB wrote:Sorry for the probably dumb question, but why don't you just configure MFA In aware?

Login sends SMS to user with random code and stores it on reg user with an expiry time then throws to a VP with an input box. User enters codes if wrong or expired kicks them out. If ok then continues to normal VP.

Can put a 7 day expiry on it if you don't want to annoy users.


Exact thing I did (at least the part with MFA VP and real VP so I have it for ALL logins and not time expired) and works.
#54042 by hpl123
Sun Jun 07, 2020 3:50 pm
joben wrote:
aware_support wrote:How about MFA provided by DUO (http://www.duo.com) ?

We have a plugin that supports it. Maybe it will work for you?

Where can I learn more about this?

hpl123 wrote:Regarding the identification of a device you do now for your trusted device solution. How do you capture/identify a device if you can share some details?


It is an overstatement to call it a trusted device solution since we were never able to identify trusted devices, but at least we managed to make an extra login check, like you type your username and password as usual, then you have to click a link that gets sent to your email to actually get logged in. It is based on a secret token. It is not very user-friendly and not exactly ground-breaking. But it was a foundation for the trusted device solution that we never were able to build.


Ok thanks and I am looking for some way to uniquely identify a device upon login and the use it together with the SMS MFA discussed in this post. I have thought about using user agent or user agent together with resolution for this but not sure how unique it would be. If anyone has a good way of uniquely identifying devices please share.

Who is online

Users browsing this forum: Google [Bot] and 19 guests