Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
2 Factor Authentication For Web+Center
We need your input to help us design a 2F authentication process that works for your Web+Center environments. The information below shows our designs so far but we are still in the design and implementation phase of this final feature for V10.
Current Login Methodologies:
Web+Center currently has two types of users, “techs” and “customers”.
Once a customer or tech logs into Web+Center, a session cookie is created that is only saved while the user is logged into that browser session.
If a customer or tech wants to replace their password, a reset mechanism is available by requesting a password reset email associated with that account. We would refer to this as single authentication.
If an account was compromised and a non validated user obtained the password to log into an account, they could continue to use the account as there is no forced re-authentication or force password resets on any of the Web+Center accounts now.
2 Factor Authentication –
Many devices like iPhones or applications provided by Google or Microsoft force 2 factor authentication now. When you enable a service or application, your original account setup requires that you enter at least (2) ways to verify your valid identity. For Web+Center, we plan to use email and TXT SMS or phone call voice messaging as the two methods to authenticate the users.
Smarter and more secure logins
With this new version of Web+Center, we are going to examine the login header information more carefully and look at past login failures and if necessary we will force the user to provide a second factor of authentication to access Web+Center.
We will also keep track of the number of consecutive login failures and block future login attempts for 30 minutes after 5 failed attempts.
We understand that many of our systems out there already just have a simple single email authentication option available so we plan to make the 2 factor authentication option very configurable to match your security requirements currently and going forward. We don’t want users to be frustrated by continue re-authentication requests but we also want to prevent any un-authorized use of the application.
Here is our planned design for 2 factor authentication – system configuration and user login requirements
System Level Configurations
As the Web+Center configurator, you will be able to control the various 2 factor authentication options available for your users.
Tech 2F authentication options
Customer 2F authentication options
Login 2F Authentication Required Triggers
These are the rules by which customers or techs will be required to authenticate themselves before they can continue to login in.
Valid Device Login IP and Date/Time – Each time a tech or customer successfully logs into Web+Center, we will store this device IP login address for the next login into the database in a value called LastSuccessfulLoginIP. We will also record the Date/Time of that login.
If the user is logging on with a different device login IP, we will force the second 2F authentication before allowing a log in if 2F is enabled.
If 2F is enabled and number of days between the last 2FAuthentication has passed, it will force another re-authentication.
To provide both SMS and voice call verification codes, we are current programming our 2F authentication options around the Authy API from Twilio. We already support the Twilio SMS API, so adding this feature if you have an twilio account is fairly easy to implement.
So even if users do not have a smart phone or TXT SMS access, they can still get authentication codes delivered by a voice call.
The Twilio API sends the TXT message/voice call from generic 2F authentication source that is only valid for 10 minutes and that code has to be confirmed within that time period.