I did a lot of research on how to implement 2fa on my app.
My app will enforce every user to use 2fa (I will use OTP).
I think that in my app, (because every user will need to use 2fa, and I will use only OTP), I can have only 2 steps:
Log in the user providing username, password and OTP.
If step 1 is successful, authentication is done.
From all the sources I found, the 2fa steps are always the same:
log in the user providing username and password.
If step 1 is successful, ask the user for the OTP token.
If step 2 is successful, authentication is done.
In my head, if I have optional 2fa, or 2fa using SMS/email, then I must have the step in the middle (authenticate the user, send the SMS/email and wait for the code), but with OTP, I already have the code and I can provide it in the same login form with the username and the password.
I haven't seen this kind of 2fa with only 2 steps, am I missing something?
Both of your examples are the same.
In the First scenario, the server is waiting for the user to enter OTP and the same process follows in the second scenario.
These are distinct steps in 2FA authentication
The user sends their username and password to the server to be authenticated as usual
The server confirms the credentials are correct and asks for a second input from the user.
In this case it’s a one-time passcode (OTP)
The user provides the OTP, and the server finally authenticates the user
2FA
Related
We have a web app (SPA Angular app talking to a .Net Core Web API) which uses Auth0 as the authentication server.
Now, I'm not sure if this would be an "invite flow" or "invite-only flow", or something else, but basically, a user will go to our web app, and create an account on our system. Our API then creates an Auth0 account for this user using the Auth0 Management API. This user is then considered the Administrator. She can then create as many users as she wants for her staff. For each user she creates, our API creates an Auth0 user using the Management API.
Since, as far as I'm aware, a user must be assigned a password at the moment of creation (i.e. you cannot create a user without a password), the administrator must pick a password for each user she creates.
Additionally, each time a user is created, Auth0 automatically sends out an email to that user asking them to verify their email address. When the user follows this link, it takes them to the Auth0 login screen where they have to fill in their email address and password.
My problem is that, unless the administrator tells them what password she picked for them, there's no way of them knowing.
My question is: is there a way to defer picking a password until the user logs in for the first time? So, when the administrator creates the user, she doesn't pick a password. Then, upon the user's first login, they pick their own password.
Alternatively, if a password MUST be set at the moment of creating the user, could this password be displayed to the user in the email verification email? I would essentially treat this as a temporary password, as I would also require the user to change their password upon first logon in this case.,
Thanks
I use AWS Cognito as the authentication provider in a React application. I noticed an issue with the Reset Password flow:
Imagine I forget my password and request a password reset. Cognito sends me an email with a security code. Then, I remember the password and don't want to change it any more. I can't because even if I log in with the correct password, it still sends me to the Set New Password page. It seems like a security concern because anyone can force other users to reset their password as long as they know their email address.
Is that by design in Cognito or is it a bug in my use of Cognito?
You will want to verify how the forgot password/authentication flow have been implemented within your app. The Reset Password page should not send the NEW_PASSWORD_REQUIRED MFA challenge, nor change the user's status to need a new password in the user pool.
The ForgotPassword API call generates the reset code for the user, whereas the ConfirmForgotPassword API call accepts the code and allows the user to change the password. These API calls do not change the user's status for resetting their password, or create the NEW_PASSWORD_REQUIRED MFA challenge.
For completeness, there is no way to cancel the password reset code once it's been sent out. The code is valid for 24 hours, although sending another code will invalidate the first.
I'm using Microsoft graph in my Android project to authenticate users.
I'm doing so via this method:
https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v1-android
after a successful login Microsoft remembers the user email, so next time when user is trying to login it will suggest to use a previously logged in account. If user chooses a previously used email, a password is not required.
Problem raises when we have a single device where multiple users need to login via Microsoft. In this case new user will see the email of previously logged users and can select their email and log into account without entering any password.
My question is how can I avoid this behavior and close the session after each login?
Thank you!
You can tell ADAL to request credentials again by switching PromptBehavior from Auto to Always:
// Perform authentication requests
mAuthContext.acquireToken(
getActivity(),
RESOURCE_ID,
CLIENT_ID,
REDIRECT_URI,
PromptBehavior.Always,
getAuthInteractiveCallback());
In Lotus Domino, when user submits the login form, we need to intercept user's username and password and relogin him/her to Domino with another username and password, according to his/her input username and password.
Is it possible?
You will need a custom login and Access it with a URL: /names.nsf?login&Redirectto=/myDb.nsf/loginredirect?OpenForm
In the loginredirect user would be logged in with the username he enters. You will have to RELOG in with the another user. see http://dominounlimited.blogspot.co.il/2008/07/automated-login-to-domino-by-http-post.html
It is possible to do this in domino but it requires you to write a DSAPI filter, which can be complicated. DSAPI filter allowes you to validate the password and go around dominos password validation.
A easier solutions is to have another authentication server which logs in the user to domino, this will involve letting the authentication server doing a POST of the login form to domino and then give the session cookie to the user.
Is there a way to implement multi factor authentication in Shiro? Can somebody give me a hint on how to implement this?
For more details:
The basic idea is, that a user needs to login just as usual, using username and password, but before being actually authenticated the user also needs to enter a one-time-token he received as an SMS.
Thank you!
I finally solved my problem on my own, but I'm of course always open to other suggestions.
I implemented my own 2 - Factor Authentication Flow:
First of all I changed the URL of the login page, to which Shiro redirects an unauthenticated user to my own login page, that leads into the authentication mechanism.
A user needs to complete two "stages" to login.
On the first stage he/she has to provide a username and password, if
these are valid, the user is redirected to the second stage of login.
Meanwhile, a one time token has been generated and sent to the user
via SMS. Also the user's authentication progress has been saved in
the session (which means I remember, that stage 1 was completed
successfully).
On stage 2 the user needs to enter the token. If the
token was
not valid or the number of attempts (5) was exceeded
expired (after 5 minutes) the number of attempts
to correctly enter the token exceeded 4 the user will be redirected
to Stage 1 and all progress will be deleted. I
if everything went fine, the user will be authenticated to Shiro
(of course without letting him/her know)
In the end the user will be redirected to the page he/she originally requested, which still allows him/her to bookmark pages. Of course Shiro's remember-me will always be deactivated.