Passcode security
Understanding two factor authentication
Two factor security will require authenticated user to
- Provide a passcode sent to their cell phone
- Login from one the office IP addresses ("Office IP")
- Login from an IP that they have succesfully logged in from X times before ("Home IP")
The IP based requirements are optional, and HomeIP is a subset of the OfficeIP solution.
Note: This functionality is still considered BETA
Preparation
To enable 2 factor authentication for users you will need to prepare the following:
- List of IP's that should not require 2 factor authentication
- An messaging URL for sending SMS's
Optionally you will also enter cellphone numbers for all employees in their user user profiles.
Step by step setup
System configuration
First you will setup the system to run in testmode, so that all messages are sent for you. After checking everything works, disable the testmode.
Change server configurations
- Set smsConnectUrl to your connection URL
- Check that smsParamMessage fits the parameter name of your SMS provider
- Check that smsParamNumber fits the parameter name of your SMS provider
Optionally you can allow IP based exceptions from the rules
Furthermore you can allow multiple logins from the same IP to
- Set passcodeUserIpHistory to true link
- Set passcodeUserIpHistoryCount to minimum succesfull logins link
Activate passcode filters
Stop the application server
Go to the application folder and dive into: <application>\WEB-INF\web.xml
Uncomment the section containg the servlet mapping
<filter>
<filter-name>TwoFactorAuthentication</filter-name>
<filter-class>dk.tempusserva.passcode.SmsVerificationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>TwoFactorAuthentication</filter-name>
<url-pattern>/main</url-pattern>
</filter-mapping>
Start the application server
Test and go live
Validate that two factor login works as intended.
Change server configurations
- Set smsTestMode to false