Support
Two-factor authentication can only be used in applications which are managed by IAM, as IAM is the place where a user’s settings with regard to two-factor authentication can be configured. In addition, support for two-factor authentication is provided by the Web GUI and the Mobile GUI, but not by the Windows GUI. The reason for this is that it is not possible to perform client-side validation of a user’s identity claim in a secure manner.
As stated earlier, we offer support for two-factor authentication by means of SMS and by means of email. For SMS two-factor authentication, the only service that is currently support is Twilio. In order to use SMS two-factor authentication, a Twilio account and an SMS-enabled Twilio phone number are required. Information about pricing can be found here. For email two-factor authentication we offer full support for the SMTP protocol. Emails can be sent through any accessible SMTP server. Even though these are the currently supported services, our implementation is highly extensible. Extra service implementations can be added quite easily and these implementations do not need to be limited to just SMS or email services.
How does it work?
After going through the conventional login process, by means of a username and password, the user will be required to provide a validation code before being granted access to the application. The Web GUI will send the validation code to the user’s phone number or email address automatically, and will display a form where the validation code can be submitted. The Mobile GUI will display a page where a validation code can be requested manually and, upon requesting the validation code, will also show a form where the validation code can be submitted. Access to the application will be granted after submitting a correct validation code.
Mobile GUI – Requesting a validation code
Mobile GUI – Submitting a validation code
Web GUI – Submitting the validation code
Configuring two-factor authentication for a user
To configure a user in IAM to use two-factor authentication, a new field named Two-factor authentication type is used. This field is mandatory and accepts the following values:
- None
- SMS
- Email
Configuring SMS two-factor authentication
To use SMS two-factor authentication in the Web GUI the settings below need to be configured in the settings.ini file or in IAM. For the Mobile GUI, the settings below need to be configured in the appsettings of the Web.config file of the application service used by the Mobile GUI.
Configuring Email two-factor authentication
To use Email two-factor authentication in the Web GUI the settings below need to be configured in the settings.ini file or in IAM. For the Mobile GUI, the settings below need to be configured in the appsettings of the Web.config file of the application service used by the Mobile GUI.
Localisation
The SMS message sent to the users can be configured by means of a translation with the key two_factor_message_sms_body. The translation text must contain ‘{0}’, as this is the parameter that will be replaced by the validation code which the users can use to validate their identity.
The subject and body of the email message sent to the user can be configured by means of two translations with the keys two_factor_message_mail_subject and two_factor_message_mail_body respectively. The translation text of the body must contain ‘{0}’, as this is the parameter that will be replaced by the validation code which the users can use to validate their identity.
Example of a body translation:
Your validation code is: {0}. Please enter and submit this code in the application to continue.