Details

    • Sprint:
      Iteration 35, Iteration 36, Iteration 37, Iteration 38, Iteration 39, Iteration 40
    • Type of Documentation:
      Deployment

      Description

      Background

      This development is part of the creation of a component that allows the activation of Multi-Factor-Authentication (from now on: MFA) in the portal. When accessing the portal using the Login UI, a second authentication factor will be requested to verify the user's identity beyond the password.

      Feature Description

      This feature allows to configure different MFA verifiers when acting as an Instance Administrator. Functionality enabling MFA always means activating the Email OTP verifier, it should be impossible to activate MFA without having this verification enabled.
      So once MFA is activated, the administrator will be able to see which other verifiers (besides Email) are active for configuration (like IP verification or Timebased OTP verifier)

      Steps

      As Instance Administrator, to activate this functionality there's a new option at Instance Settings - Multi-Factor Authentication.
      Verifiers requiring manual verification by the user (Email and Timebased OTP) may be given a priority level using the field "Order". The one with the highest level will be the first to be shown to the user to verify their identity during the login process with a link on its screen to the next verifier according to the configured order. Choosing the following verifier renders the screen of that verifier with a link to the next one after that.
      In the case of the IP Verifier (IPAddressHeadlessMFAChecker), it will not need confirmation from the user, so whenever it is active, it will be the first one to be executed and if it fails, the above order will be taken into account to show the rest of the verifiers.

      Note: The "IP Address Configuration" and "Time-Based One-Time Password Configuration" entries only appear in Instance Settings after "Multi-Factor Authentication: Email One-Time Password Configuration" has been enabled.

      Instance Settings Configs

      Multi-Factor Authentication: Email One-Time Password Configuration
      Interface: com.liferay.multi.factor.authentication.email.otp.configuration.MFAEmailOTPConfiguration
      Properties: see above
      Description

      IP Address Configuration
      Interface: com.liferay.multi.factor.authentication.ip.address.internal.configuration.MFAIPAddressConfiguration
      Properties:

      • enabled: "true/false" (defaults to "false"). When the IP address configuration is enabled, the instance will check if the user tries to log in from a valid network ip and will allow the access the portal without showing any other multi-factor authentication verifiers.
      • allowedIPAddressAndNetMask: defaults to "127.0.0.1/255.0.0.0|::1/128|10.0.0.0/8|172.16.0.0/12|192.168.0.0/16|fc00::/7". Set the allowed IP address and the network mask. Use the add button to add multiple ones.
        Description

      Time-Based One-Time Password Configuration
      Interface: com.liferay.multi.factor.authentication.timebased.otp.web.internal.configuration.MFATimeBasedOTPConfiguration
      Properties: See above
      Description

      Code

      There are two modules to take into account for this functionality:

        Attachments

          Activity

            People

            Assignee:
            marta.medio Marta Medio (Inactive)
            Reporter:
            nora.szel Nóra Szél
            Recent user:
            Tibor Lipusz
            Participants of an Issue:
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Packages

                Version Package
                7.3.10 DXP GA1