[Yubico Authentication] Implementation

[Yubico Authentication] Implementation

Forge Component
Published on 2014-10-13 by Justin James
0 votes
Published on 2014-10-13 by Justin James
Love your work JJ.

We have been researching ways to extend the authentication capability of our apps. Yubico looks very impressive.

Can you give me an idea of how you implemented (or intent to implement) this component with the Outsystems platform. Is there any additional software/services that have to be installed on the server? 

Very interesting!!!

Robbie -

Glad to help!

No software or services need to be installed client-side, that's one reason we chose Yubico over RSA and other similar systems.

The impelementation was very simple, took me 15 minutes. Here's what I did:

1. Added a "YubicoDeviceId" Text(12) attribute to my UserExtended entity. Each Yubico device has a unique ID, and it is 12 letters long. Added a site property for the Client Id and API Key for Yubico (both can be generated from their site).

2. Made an action to determine if a particular user requires Yubico authentication (we only are doing it for in-house super admin users), my action just verified that a) the user has the role that requires it and b) that the user's record has a YubicoDeviceId set. The second check is only while we are deciding if we want this, once we are sure, ALL super admins will require it, and won't be able to login unless they have it!

3. Modified our login screen to have a field for the one-time-password. I hide it unless an on-screen boolean (defaulted to "false") is true.

4. In the Login action, it checks to see if they require the Yubico authentication. I do this BEFORE I run the "LoginPassword", so the user never gets logged in. If so, it toggles that variable to "true" and refreshes the screen to show the one-time-password field. Use InputSetFocus to put the focus. If that variable is ALREADY true, it means that they already have the one-time-password field on their screen, so it uses this extension to validate the ont-time-password. If that comes back good, it runs the LoginPassword action as expected to validate that their password is good, log them in, etc.

5. The Yubico key sends a newline as part of the text, so simply pushing the button re-submits the form, it's VERY usable for the end user! It's basically just adding the need for them to reach over to their key and push the button on it.

As of right now, the keys are $25/each, which is a great price to make this app super-secure, and a bag of 10 is $230 or $225, it's basically a 10% discount to buy 10 at a time.

Again, implementation was about 15 minutes, to go from "username/password" security model to "username/password + one-time-password" security. I could not be happier.

Thanks mate.

The Standard keys are $25/each, and the NEO keys are $50 each.
Is there a difference?
Will your extension work for both keys?


Robbie -

The NEO keys add NFC so they can be used with mobile devices. This extension should work for either one, all it needs to do is have you get the one-time-password to it, and that's going to work the same no matter which Yubico key you purchase.

Yubico Authentication vs Yubico Connector (http://www.outsystems.com/forge/component/181/Yubico+Connector+(Two+Factor+Authentication)

What is new in Yubico Authentication?
No idea... didn't even think there'd be one on here so I never checked before I did mine.

Is yours .NET or Java? The Forge page doesn't say, and Github's UI is such a steaming pile of hot garbage I can't figure out how to download your XIF from there.