Type: Technical Documentation
Affects Version/s: None
Fix Version/s: 7.3.10 DXP GA1
Component/s: Application Security > Multi-Factor Authentication
Sprint:AS | Iteration 10, AS | Iteration 11, AS | Iteration 12, AS | Iteration 13, AS | Iteration 14, AS | Iteration 15, Iteration 35, Iteration 36, Iteration 37, Iteration 38, Iteration 39
Type of Documentation:Deployment
This development is part of the creation of a component that allows the activation of Multi-Factor-Authentication (from now on: MFA) in the portal. When accessing the portal using the Login UI, a second authentication factor will be requested to verify the user's identity beyond the password.
This feature allows to activate/deactivate MFA and apply the verification via mail (only available at DXP version). Functionality enabling MFA always means activating the Email OTP verifier, it should be impossible to activate MFA without having this verification enabled. So we would have two scenarios to consider when a user logs into the portal:
- Do not enable MFA: User will access the portal using mail/password
- Enable MFA (and therefore activate Email OTP as a verifier): User will access the portal using mail/password and then the verification via email would be shown. The end user will be shown a screen where he/she should enter the code received in his/her mail account.
As Instance Administrator, to activate this functionality there's a new option at Instance Settings - Multi-Factor Authentication. There are also several configurable fields where you can also set the mail template to be used.
Also, as System Administrator an option has been added to generally disable MFA for all instances in System Settings - Multi-Factor Authentication to help control possible general login problems.
As end user if MFA has been activated, when logging in to the portal, as a security measure a verification code will be requested which will receive by email at the principal mail address.
There're several modules to take into account for this functionality:
- multi-factor-authentication-spi: This module defines the necessary interfaces to work with MFA, in this case the EmailOTPBrowserMFAChecker (located in multi-factor-authentication-email-otp-web) is of type BrowserMFAChecker
- multi-factor-authentication-web: This module defines the logic common to the whole portal related to MFA, through MFAPolicy the activated verifiers will be checked and with LoginMVCActionCommand the Login action is intercepted in order to show MFA verifiers using a new Portlet.
- multi-factor-authentication-email-otp-api: This module defines the Model and Persistence layer to track the email verifier for each user.
- multi-factor-authentication-email-otp-service: This module defines the Service layer to work with the email entry verifier.
- multi-factor-authentication-email-otp-web: This module defines the specific Portlet to show the email verifier.