SMS-based Two-Factor Authentication

SMS-based two-factor authentication is the most popular choice when it comes to multi-factor authentication as most users have their own mobile phones and have them handy when logging into apps.

How it works?

Users will be granted access to the FintechOS app following these two steps:

Users will navigate to the FintechOS web app and they will provide their account credentials (username and password). Based on the app configuration, the credentials can be either local or from external providers. To make sure account access is protected, after the login credentials are provided, a one-time security pass code is sent to the user’s phone (the phone number set in the user account profile).
In the web app, they provide the pass code received via SMS. Access into the system is granted.

How to set up the SMS-based MFA?

Setting up the SMS-based multi-factor authentication is a two-step process:

1 Enable Multi-Factor Authentication

On the server where the FintechOS installation package resides, go to the web.config file and add the following settings:

To the <configSections> tag, add the multifactorAuthentication section:

Copy

<configuration>
    <configSections>
        ...
         <section name="multiFactorAuthentication" type="EBS.Core.Authentication.Common.MultiFactorAuthentication.Config.MultiFactorAuthenticationSection, EBS.Core.Authentication.Common" />
    </configSections>
<configuration>

Add the <multiFactorAuthentication> tag:

Copy

<configuration>
...
    <multiFactorAuthentication xmlns="http://fintechos.com/ebs/schemas/multiFactorAuthentication" enabled="true">
        <providers>
            <provider name="SMS" enabled="true" default="true">
                <type fullName="EBS.Core.Web.MVC.Security.SmsMultiFactorAuthenticationProvider, EBS.Core.Web.MVC" />
                <properties>
                    <property name="ChannelProvider" value="GatewaySmsOTP" />
                    <property name="CommunicationChannel" value="Sms" />
                    <property name="MaxNumberOfAuthenticationRetries" value="3" />
                    <property name="MaxNumberOfSmsSendings" value="3" /> </properties>
            </provider>
        </providers>
        <runtime>
            <providers>
                <provider name="SMS">
                    <roles>
                        <role name="*" /> </roles>
                </provider>
            </providers>
        </runtime>
    </multiFactorAuthentication>
</configuration>

Where:

multiFactorAuthentication/@enabled - controls if MFA is enabled or not. Default value: false;
multiFactorAuthentication/providers/provider/@enabled - controls if a specific MFA provider is enabled or not. Default value: true;
multiFactorAuthentication/providers/provider/@default
- When MFA is enabled, there can be at most one provider marked with default="true".
- The provider marked with default="true" will be selected for MFA when there are multiple providers available for user's roles and the user hasn't selected any preferred communication channel or his preferred communication channel is not present into the configured providers list.
- Default value: false.
on multiFactorAuthentication/providers/provider/properties:

ChannelProvider - the channel provider used by the SMS MFA provider to send text messages. Its value must be the Name of one of the records from EbsMetadata.FTOS_DPA_ChannelProvider table;
CommunicationChannel - the communication channel used by the SMS provider to send text messages. Its value must be the Name of one of the records from EbsMetadata.FTOS_DPA_CommunicationChannel table;
MaxNumberOfAuthenticationRetries - the user has up to MaxNumberOfAuthenticationRetries chances to enter the correct code. If this threshold is reached the user will be redirected to the login page. Default value: 3;
MaxNumberOfSmsSendings - if needed the user may request a resending of the code for up to MaxNumberOfSmsSendings times. If this threshold is reached the user will be redirected to the login page. Default value: 3;

multiFactorAuthentication/runtime/providers/provider[@name='SMS']/roles will include a <role name=""/> child for each role that contains users that have to be authenticated through this provider. Note that a <role name="*"/> means that all roles will be taken into account;

If the multi-factor authentication is activated, at the next profile change, users will have to provide their phone number (in the Edit System User, My Account page, the Phone Number field is mandatory).

Once you’ve activated the SMS-based authentication, you need to configure the Job Server for Multi-Factor Authentication.

2 Configure the Job Server for MFA

IMPORTANT!
The MessageBus (OCS) plugin for the FintechOS Job Server already includes the configurations required for multi-factor authentication (see the FintechOS Installation Guide for details about MessageBus (OCS) installation).

If you have the MessageBus (OCS) plugin installed, skip this step.
If you are using the standard Job Server configuration, follow the instructions below to configure the multi-factor authentication settings.

On the server where the FintechOS installation package resides, go to the schedule.config file and add the following section:

Copy

<triggers> 
...
    <trigger>
        <name>FTOS.OCB.OTP</name>
        <startTime>02.11.2017 11:00</startTime>
        <endTime>03.11.2080 11:02</endTime>
        <repeatCount>-1</repeatCount>
        <rescheduleAfterRun>false</rescheduleAfterRun>
        <async>false</async>
        <expression>0/10 * * * * ?</expression>
        <services>
            <service>FTOS.OCB.SendMessagesServiceSmsOTP</service>
            <service>FTOS.OCB.UpdateStatusServiceSmsOTP</service>
            <service>FTOS.OCB.UpdateExpiredMessageServiceSmsOTP</service>
        </services>
    </trigger>
</triggers>

On the server where the FintechOS installation package resides, go to the services.config file and add the following sections:

Copy

<serviceList> 
...
    <!--OTP-->
    <service>
        <name>FTOS.OCB.SendMessagesServiceSmsOTP</name>
        <type>class</type>
        <method></method>
        <class>FTOS.MessageBus.ScheduledServices.SendMessagesService</class>
        <assembly>FTOS.MessageBus.ScheduledServices</assembly>-->
        <execParams>provider=gateway;providerSetting=gatewaySmsOTP</execParams>
    </service>
    <service>
        <name>FTOS.OCB.UpdateStatusServiceSmsOTP</name>
        <type>class</type>
        <method></method>
        <class>FTOS.MessageBus.ScheduledServices.UpdateStatusMessagesService</class>
        <assembly>FTOS.MessageBus.ScheduledServices</assembly>-->
        <execParams>provider=gateway;providerSetting=gatewaySmsOTP</execParams>
    </service>
    <service>
        <name>FTOS.OCB.UpdateExpiredMessageServiceSmsOTP</name>
        <type>class</type>
        <method></method>
        <class>FTOS.MessageBus.ScheduledServices.UpdateExpiredMessageService</class>
        <assembly>FTOS.MessageBus.ScheduledServices</assembly>-->
        <execParams>provider=gateway;providerSetting=gatewaySmsOTP</execParams>
    </service>
</serviceList>

Configure Multi Factor Authentication to use an SMS Service provider

In the web.config file, set the ChannelProvider property of the MFA provider with value “FTOSApiSms“.

Example

Copy

<multiFactorAuthentication xmlns="http://fintechos.com/ebs/schemas/multiFactorAuthentication" enabled="true">
        <providers>
            <provider name="SMS" enabled="true">
                <type fullName="EBS.Core.Web.MVC.Security.SmsMultiFactorAuthenticationProvider, EBS.Core.Web.MVC" />
                <properties>
                    <property name="ChannelProvider" value="FTOSApiSms" />
                    <property name="MaxNumberOfAuthenticationRetries" value="3" />
                    <property name="MaxNumberOfSmsSendings" value="3" />
                    <property name="MessageTemplate" value="myMessageTemplate_SmsApi" />
                </properties>
            </provider>
        </providers>
        ...
</multiFactorAuthentication>