Difference between revisions of "Passcode security"

From TempusServa wiki
Jump to navigation Jump to search
old>Admin
m (25 revisions imported)
 
(12 intermediate revisions by one other user not shown)
Line 1: Line 1:
This article will be published 13 november 2017
== Understanding two factor authentication ==
Two factor security will require authenticated user to
# Provide a passcode sent to their cell phone
# Login from one the office IP addresses ("Office IP")
# Login from an IP that they have succesfully logged in from X times before ("Home IP")


=== Preparation ===
The IP based requirements are optional, and HomeIP is a subset of the OfficeIP solution.
 
Note: This functionality is still considered BETA
 
== Preparation ==
To enable 2 factor authentication for users you will need to prepare the following:
To enable 2 factor authentication for users you will need to prepare the following:


* List of IP's that should not require 2 factor authentication
* List of IP's that should not require 2 factor authentication
* An messaging URL for sending SMS's
* An messaging URL for sending SMS's
* Access to cellphone numbers for all employees


Optionally you will also enter cellphone numbers for all employees in their user user profiles.
== Step by step setup ==


=== Setup ===
=== System configuration ===
First you will setup the system to run in testmode, so that all messages are sent for you. After checking everything works, disable the testmode.
First you will setup the system to run in testmode, so that all messages are sent for you. After checking everything works, disable the testmode.


Line 18: Line 28:


Optionally you can allow IP based exceptions from the rules
Optionally you can allow IP based exceptions from the rules
* Set '''passcodeTrustedIp''' to true [[ServerSettingSingle.do?DataType=1&PolicyName=passcodeTrustedIp link]]
* Set '''passcodeTrustedIp''' to true [[ServerSettingSingle.do?DataType=1&PolicyName=passcodeTrustedIp | link]]
* Set '''passcodeTrustedIpList''' to contain your office IP's: ServerSettingSingle.do?DataType=3&PolicyName=passcodeTrustedIpList
* Set '''passcodeTrustedIpList''' to contain your office IP's  [[ServerSettingSingle.do?DataType=3&PolicyName=passcodeTrustedIpList | link]]


Furthermore you can allow multiple logins from the same IP to  
Furthermore you can allow multiple logins from the same IP to  
* Set '''passcodeUserIpHistory''' to trueServerSettingSingle.do?DataType=1&PolicyName=passcodeUserIpHistory
* Set '''passcodeUserIpHistory''' to true [[ServerSettingSingle.do?DataType=1&PolicyName=passcodeUserIpHistory | link]]
* Set '''passcodeUserIpHistoryCount''' to minimum succesfull loginsServerSettingSingle.do?DataType=2&PolicyName=passcodeUserIpHistoryCount
* Set '''passcodeUserIpHistoryCount''' to minimum succesfull logins [[ServerSettingSingle.do?DataType=2&PolicyName=passcodeUserIpHistoryCount | link]]


=== Activate passcode filters ===


Stop the application server
Stop the application server
Line 32: Line 43:
Uncomment the section containg the servlet mapping
Uncomment the section containg the servlet mapping


    <filter>
  <filter>
        <filter-name>TwoFactorAuthentication</filter-name>
    <filter-name>TwoFactorAuthentication</filter-name>
        <filter-class>dk.tempusserva.passcode.SmsVerificationFilter</filter-class>
    <filter-class>dk.tempusserva.passcode.SmsVerificationFilter</filter-class>
    </filter>
  </filter>
    <filter-mapping>
  <filter-mapping>
        <filter-name>TwoFactorAuthentication</filter-name>
    <filter-name>TwoFactorAuthentication</filter-name>
        <url-pattern>/main</url-pattern>
    <url-pattern>/main</url-pattern>
    </filter-mapping>
  </filter-mapping>


Start the application server
Start the application server


=== Test and go live ===
=== Test and go live ===
 
Validate that two factor login works as intended.


Change server configurations
Change server configurations
* Set "smsTestMode" to true
* Set '''smsTestMode''' to false

Latest revision as of 11:55, 10 December 2021

Understanding two factor authentication

Two factor security will require authenticated user to

  1. Provide a passcode sent to their cell phone
  2. Login from one the office IP addresses ("Office IP")
  3. Login from an IP that they have succesfully logged in from X times before ("Home IP")

The IP based requirements are optional, and HomeIP is a subset of the OfficeIP solution.

Note: This functionality is still considered BETA

Preparation

To enable 2 factor authentication for users you will need to prepare the following:

  • List of IP's that should not require 2 factor authentication
  • An messaging URL for sending SMS's

Optionally you will also enter cellphone numbers for all employees in their user user profiles.

Step by step setup

System configuration

First you will setup the system to run in testmode, so that all messages are sent for you. After checking everything works, disable the testmode.

Change server configurations

  • Set smsConnectUrl to your connection URL
  • Check that smsParamMessage fits the parameter name of your SMS provider
  • Check that smsParamNumber fits the parameter name of your SMS provider

Optionally you can allow IP based exceptions from the rules

  • Set passcodeTrustedIp to true link
  • Set passcodeTrustedIpList to contain your office IP's link

Furthermore you can allow multiple logins from the same IP to

  • Set passcodeUserIpHistory to true link
  • Set passcodeUserIpHistoryCount to minimum succesfull logins link

Activate passcode filters

Stop the application server

Go to the application folder and dive into: <application>\WEB-INF\web.xml

Uncomment the section containg the servlet mapping

 <filter>
    <filter-name>TwoFactorAuthentication</filter-name>
    <filter-class>dk.tempusserva.passcode.SmsVerificationFilter</filter-class>
 </filter>
 <filter-mapping>
    <filter-name>TwoFactorAuthentication</filter-name>
    <url-pattern>/main</url-pattern>
 </filter-mapping>

Start the application server

Test and go live

Validate that two factor login works as intended.

Change server configurations

  • Set smsTestMode to false