Authy 2 factor authentication - How to implement in outsystems login process

Authy 2 factor authentication - How to implement in outsystems login process

  
Hi
 
I am building a new application in which  I want to add an additional layer of security, by adding two factor authentication (2FA).   
 
I found a cloud-based service called ‘Authy’  which seems to offer an elegant, lightweight two factor authentication solution, based on a software based token (the authy app) or SMS.
 
A REST API is available to verify a user token:
GET https://api.authy.com/protected/{FORMAT}/verify/{TOKEN}/{AUTHY_ID}?api_key={KEY}
 
(more information about the API can be found on  http://docs.authy.com/)
 
 
The question that I currently have is what is the best practice to integrate this token validation in a login procedure.
 
The concept that I am thinking of now is to have the token validation process as a conditional step, that must happen before the user_login action is called. See image below for an example. the steps between the dotted lines are added to the standard login action. The Authy ID (or user key), which is needed to identify the user, is already stored in a table in my application and is collected as when the username is entered.
 
My question is
 
  • does this approach make sense? is it how 2FA should be implemented?
  • if not, could you please recommend me an alternative way to implement 2FA in a lightweight manner in Outsystems?
  • in case you have experience with alternative approaches / services / tools, I am also open for suggestions.
 
 
That looks like a good approach, since you're checking both authentication items.

I have never actually implemented a 2FA mechanism in OutSystems, but have thought about it and the login flow would probably be something like this.
Hmm,

I have to dig deep. I did test-implement something with the google authenticator :)

thansk for the replies, I will try, as soon as business wants us to implement 2FA. Authy appears to be  simple solution...

....however ,google authenticator implementation of a TOTP doesnt seem too complex either... maybe somebody has already built an extension that implements the specific TOTP algorithm?

https://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm
I know a colleague of mine has built a simple extension using the TOTP algorithm for .NET. I am not sure if he shared the code on the Forge yet, but I'll ping him about this thread.
Well,

it's not a complete App, just the proof of concept part of generating a secret -> bar code for the google authenticatior and then calculate the code.
So It's not "forge ready" ... but I don't mind uploading what I got at the moment here.

You can check my app in my personal as well to see it working (I just published it with an anonymous screen):
https://my.outsystemscloud.com/Auth/

Click the "Gen" button just to create a random secret.
Then use the Google Authentication app to import the barcode.
Clicking the  "Recalculate Codes" causes "Current Password" on the right of the screen to be updated (you can compare it with what the google authentication app gives you)


Also just a quick note that I found out about the Google Authenticator: all online validators accept at least 3 tokens at any given time! (CurrentTime - 30, CurrentTime and CurrentTime+30)
This is because of the Android App of the google authenticator that only syncs the time with the atomic clock with MINUTE increments ..but the algorithm is with 30second instervals ...not very smart of them.

Regards,
João Rosado
I've just uploaded a project to the forge based on João's implementation. It's called Google Authenticator . You can use this to implement MFA using Google Authenticator on your login flow.
Don't know if anyone has mentioned this yet, but I downloaded a pretty simple Two-Factor component from the Forge called How To - Two Factor Authentication (with Twilio) that works pretty good for me. It gets its SMS functionality from the Twilio Connector (also on the Forge). I removed that dependency and modified the application to use email instead. I was able to get it implemented and working in a few minutes with hardly any effort.

Hope this helps...