Type: Technical Documentation
Affects Version/s: None
Fix Version/s: 7.3.10 DXP GA1
Component/s: Application Security > Multi-Factor Authentication
Sprint:Iteration 36, Iteration 37, Iteration 38, Iteration 39
Type of Documentation:Developer
This development is part of the creation of a component that allows the activation of Multi-Factor-Authentication (from now on: MFA) in the portal. When accessing the portal using the Login UI, a second authentication factor will be requested to verify the user's identity beyond the password.
This feature allows to activate an IP verifier for MFA, it only appears when MFA is already enabled. So we would have different scenarios to consider when a user logs into the portal:
- Do not enable MFA: User will access the portal using mail/password
- Enable MFA (and therefore activate Email OTP as a verifier): User will access the portal using mail/password and then the verification via email would be shown. The end user will be shown a screen where he/she should enter the code received in his/her mail account.
- Enable MFA (and therefore activate Email OTP as a verifier) and configure IP OTP Verifier:
- User tries to log in from a matching MFA IP: User will access without any extra verification steps after log in
- User tries to log in from a non-matching MFA IP: User will be able to use any of the available verifiers based on the Instance Configuration (like Email Verification)
As Instance Administrator, to activate this functionality there's a new option at Instance Settings - Multi-Factor Authentication. There are also several configurable fields to set up the allowed IPs from which the user will make his/her login request.
As end user if MFA with IP verifier has been activated, when logging in to the portal, as a security measure the portal will check the IP from which the login request has been made and, if it matches the configuration, end user will be allowed to access the system without showing any message/notification.
If the IP doesn't match the MFA Configuration, end user will be able to use any of the other available verifiers.
There are several modules to take into account for this functionality:
- multi-factor-authentication-spi: This module defines the necessary interfaces to work with MFA, in this case the IPAddressHeadlessMFAChecker (located in "multi-factor-authentication-ip-address-impl") is of type HeadlessMFAChecker
- multi-factor-authentication-web: This module defines the logic common to the whole portal related to MFA, through MFAPolicy the activated verifiers will be checked and with LoginMVCActionCommand the Login action is intercepted in order to track MFA verifiers.
- multi-factor-authentication-ip-address-impl: This modules will check the IP from which the login request has been made.