Type: Technical Documentation
Affects Version/s: None
Fix Version/s: 7.3.10 DXP GA1
Component/s: Application Security > Multi-Factor Authentication
Sprint:AS | Iteration 10, AS | Iteration 11, AS | Iteration 12, AS | Iteration 13, AS | Iteration 14, AS | Iteration 15, Iteration 38, Iteration 39, Iteration 40, Iteration 41, Iteration 42
Type of Documentation:Deployment
This development is part of the creation of a component that allows the activation of Multi-Factor-Authentication (from now on: MFA) in the portal. When accessing the portal using the Login UI, a second authentication factor will be requested to verify the user's identity beyond the password.
This feature allows to activate an Timebased-OTP verifier for MFA, it only appears when MFA is already enabled. So we would have different scenarios to consider when a user logs into the portal:
- Do not enable MFA: User will access the portal using mail/password
- Enable MFA (and therefore activate Email OTP as a verifier): User will access the portal using mail/password and then the verification via email would be shown. The end user will be shown a screen where he/she should enter the code received in his/her mail account.
- Enable MFA (and therefore activate Email OTP as a verifier) and configure Timebased OTP Verifier:
- If the user has not configured in his/her Account Settings the Timebased OTP Verifier: User will access the portal using mail/password and then the verification via email would be shown
- If the user has configured in his/her Account Settings the Timebased OTP Verifier: User will access the portal using mail/password and then he/she will be able to choose between access using the Email Verification or the Timebased Verification. By default, the Verifier with the highest order in the configuration will be shown, and we will add an option to switch to the second active Verifier. On the screen of the second active verifier there will be a link to the third one if that exists and so on.
As Instance Administrator, to activate this functionality there's a new option at Instance Settings - Multi-Factor Authentication. There are also several configurable fields to set up the Timebased OTP algorithm to use (we're following the actual specification: https://tools.ietf.org/html/rfc6238)
As end user if Timebased OTP verifier has been activated, he/she will have to configure the account at Account Settings (see:
LPS-114241) The end user also can remove the Timebased OTP verifier configuration.
There are several modules to take into account for this functionality:
- multi-factor-authentication-spi: This module defines the necessary interfaces to work with MFA, in this case the TimeBasedOTPBrowserSetupMFAChecker (located at "multi-factor-authentication-timebased-otp-web") is of type SetupMFAChecker and also BrowserMFAChecker
- multi-factor-authentication-web: This module defines the logic common to the whole portal related to MFA, through MFAPolicy the activated verifiers will be checked and with LoginMVCActionCommand the Login action is intercepted in order to track MFA verifiers.
Also in this module, we track the available setup checkers and generate a new entry for the final user at Account settings (check this package)
- multi-factor-authentication-timebased-otp-api: This module defines the Model and Persistence layer to track the Timebased OTP verifier for each user.
- multi-factor-authentication-timebased-otp-service: This module defines the Service layer to work with the Timebased OTP entry verifier.
- multi-factor-authentication-timebased-otp-web: This module defines the specific Portlet to show the Timebased OTP verifier and also the setup verification for the final user.