2FA - Two Factor Authentication

What is that

Two-factor authentication (2FA) is a security tool according to which the user is required to provide two different uthentication factors to verify your identity. It is used to make it safer access to any type of resource with which we have the opportunity to interact: websites and web services, financial or bank accounts, doors or gates of apartments and offices, e any service that needs strong authentication.

Why use it

Most websites still rely on the good old method authentication username & password, which is among the worst possible techniques to protect our data.

Here is a list of reasons why this method shouldn't no longer be used:

  • The theft of credentials (or the fraudulent obtaining of "weak" credentials) they are the favorite weapons of hackers, used in 95% of all attacks on websites and web services;
  • Password theft is constantly evolving thanks to the use, by hackers, of tools such as keylogging, phishing, pharming and so on, which in recent years they have become increasingly accessible, widespread and easy to use;
  • The vast number of passwords we have to use (and memorize) in our daily life (personal + corporate) pushes users and employees to perform many unsafe behaviors, For example:
    • Use of easy-to-remember (and therefore weak) passwords;
    • Saving of credentials in browsers / navigation devices used;
    • Storing passwords in unsafe places (post-its, paper sheets, text files).

While most of these threats can be mitigated by using a strong password, the real weakness of this approach is that it only provides one level of protection from a possible unauthorized access, this means that a single mistake on our part is enough to allow an attacker to have unauthorized access to our data.

Authentication factors

To access any digital system (computer, ATM, website or other) we will first have to introduce ourselves by entering our username, then we will have to prove that it is us and this is it the authentication phase which can take place in three different ways:

  1. Something you know: includes all kinds of passwords, PINs, combinations, keywords etc;
  2. Something you own: includes any physical object such as smartphone, token, app etc;
  3. Something we have: Includes everything that is part of the human body and can be used to confirm the identity of a person such as fingerprints, voice recognition, facial recognition etc.

In many cases, authentication takes place with only the password: this is one-factor authentication. Instead, we speak of 2FA if at least two of the three factors listed above are used.

Registration

In order to access the resources protected by Oplon 2FA, you must register through the appropriate page registration via browser and then download the application on our smartphone and register it by entering the data just registered.

Registration from the browser

To access the registration page, simply make a request to a resource protected by 2FA. Once we have been redirected to the login page, just click the REGISTER button.

Pagina di login

Figure 1: Login page

Put all requested data and click on NEXT.

Pagina di registrazione

Figure 2: Sign up page

At this point will be sent a code to the email indicated in the previous step, which we will call OTC (One Time Code). Enter the code and click on VERIFY button.

Pagina di verifica otc email

Figure 3: Verify OTC email

In this step you are asked to enter your mobile number. Let's enter it and click on NEXT.

Pagina di verifica otc telefono

Figure 4: Pagina di inserimento numero di telefono

As for the email, the OTC will be sent in the mobile number we have indicated. Enter the code and click on VERIFY button.

Pagina di verifica otc telefono

Figure 5: Verify OTC phone

If the OTC entered is correct it will be displayed the registration confirmation.

Pagina di conferma registrazione

Figure 6: Sign up done

Registering your mobile device

In the sms received during registration, there are two links to download the Oplon2FA app: one for iOS and one for Android. Once Oplon2FA is installed on our smartphone and opened, the app will recognize that our device has not yet been registered by showing us the registration screen. The data are those we used during registration via the browser, enter them and click on Register.

Registrazione app

Figure 7: App registration

OTC code will be requested, sent by text message to our mobile number.

Verirfica app

Figure 8: Check app

Once you have successfully registered, we will be redirected to the app home.

Home app

Figure 9: Home app

Authentication

Once the registration is completed, it will be possible to access your personal area and make requests for permission to access certain resources / paths protected by Oplon 2FA, which must then be accepted by the domain manager, whom we will call Tenant, to whom you is requesting permission.

Permission request

In order to access a certain resource/path, just make a request via browser, for example https:/ domain/resource and we will be redirected to the Oplon 2FA login page. We enter the data with which we registered and press the LOGIN button. At this point we will be shown a page that awaits login authorization through our mobile phone.

Autorizzazione app

Figure 10: Waiting for app authorization

All we have to do is open the app and click on Check requests. The app will check if there are any active login requests e it will show us the current one plus various information. To confirm login, just click on the Yes, grant access button.

Permesso di accesso

Figure 11: Access permission

The browser will be redirected to:

  • Resource: if we have permission to access it;

  • Account page: if you do not yet have the permissions to access it. In this case there are two possibilities:

    • The permission does not exist: a notification appears in which it describes that the manager has not yet created a permission rule for the resource we have requested;

      Permesso inesistente per la risorsa

      Figure 12: Non-existent permission for the resource

    • The permission exists: a notification appears through which we can request permission for the resource we have requested by simply clicking on the button REQUEST PERMISSION. The manager will then have to accept our request and only when it has been accepted, requesting the same resource https://domain/resource and logging in again, can we access it.

      Richiesta di permesso

      Figure 13: Request permission

    • The permission exists but it is expired: a notification appears in which it describes that the permission requested exists but it is expired and no longer accessible.

      Richiesta di permesso scaduto

      Figure 14: Request permission expired

Administration panel

This section describes the structure and functions of the Oplon 2FA administration panel.

Account

This is the page that is viewed by any user who has registered with Oplon 2FA.

Pagina Account

Figure 15: Accaunt page

Reset

The first panel displays some information about your account: username, phone number and email. It is also possible to change all these data using the appropriate buttons. The only data that cannot be changed is the username. As for the email and telephone number, during the reset, an OTC code will be sent for the respective reset, which must then be entered in the appropriate input to verify that the email / telephone is actually owned by us.

Pannello info e reset

Figure 16: Info and reset panel

Permissions

The Permissions panel displays the list of domains to which we can access at least one resource.

Pannello permessi utente

Figure 17: User permissions panel

Permissions requests

In the Permissions requests panel, all the permission requests we have made are displayed. There are 3 types of views that are located to the right of the search bar of this panel:

  • Pending: (default) list of requests that have been made but not yet accepted / rejected;
  • Granted: list of requests that have been accepted;
  • Not-granted: list of requests that have been refused.

Pannello richieste di permesso

Figure 18: Pannello richieste di permesso

Report user

Clicking on REPORT, it will be displayed a table with all operation executed by our account as normal user:

  • Login
  • Permission request
  • Reset password, mail, phone

Tenant

This page belongs exclusively to the domain manager, who has the ability to create and manage manager roles.

Pagina tenant

Figure 19: Tenant page

Manage roles

In this panel the Tenant can create a role by clicking on the green + button and entering:

  • Role: name that uniquely identifies the role;
  • Description: role description.

Once a role has been entered, it is possible to modify its description by clicking on the pencil icon or to delete it by clicking on the trash can icon.

Gestione ruoli

Figure 20: Role management

Manage domains

In this panel the Tenant can add a domain that he manages by clicking on the green + button and entering:

  • Domain: domain name;
  • Description: domain description;
  • Activation code: it is used to verify that the Tenant is the person who actually manages that domain. The code entered must be the same as the code of the rewrite header rule inserted in Oplon ADC.

Once a domain has been entered, it is possible to modify its description by clicking on the pencil icon or to delete it by clicking on the trash can icon.

Gestione domini

Figure 21: Domain management

Manage roles domains

In this panel the Tenant can associate a role to a domain by clicking on the green + button and entering:

  • Role: name that uniquely identifies the role;
  • Domain: domain name.

Once a domain-role has been entered, it is only possible to delete it by clicking on the trash can icon.

NB: A role can manage multiple domains.

Gestione ruoli-domini

Figure 22: Role-domain management

Manage users roles

In this panel the Tenant can associate a user to a role by clicking on the green + button and entering:

  • Username: username;
  • Role: name that uniquely identifies the role.

At this point, the user to whom a role has been associated will have the possibility to access an additional page to manage the permissions and requests for the domain permissions associated with that role. Once a user-role has been entered, it is only possible to delete it by clicking on the trash can icon.

Gestione utenti-ruoli

Figure 23: User-role management

Report tenant

Clicking on REPORT, it will be displayed a table with all operation executed by your account as Tenant:

  • Add, delete, modify table Manage roles;
  • Add, delete, modify table tabella Manage domains;
  • Add, and delete table Manage roles domains;
  • Add, and delete table Manage users roles.

Manager

This page is accessible only to users who have been enabled by the Tenant to manage permissions and requests for permissions for a certain domain.

Pagina manager

Figure 24: Manager page

Permissions

This panel shows the list of domains for which you have management permission.

Pannello lista permessi

Figure 25: Permissions list panel

Manage permissions

In this panel the manager can create a list of permissions for certain paths of a certain domain by clicking on the green + button and entering:

  • Domain: domain for which you want to add a permission;
  • Description: permission description;
  • Code: name that uniquely identifies the permission (the only special characters allowed are "_" and "-");
  • Regex: regular expression that defines the match rule of the domain path;
  • Order: path verification order (the permission with the highest number will be considered first, the lowest number will be considered last).

Pannello gestione permessi

Figure 26: Permissions management panel

Once you have entered a permit, you have the option to change its description, regular expression and order by clicking on the pencil icon or to delete it by clicking on the trash can icon.

please note: to be able to remove a permission, there must be no requests for permissions for that domain.

Manage permissions requests

In this panel the manager will display the list of requests for permissions made by users. There are 3 types of views that are located to the right of the search bar of this panel:

  • Pending: (default) list of requests that have been received but not yet accepted / rejected;
  • Granted: list of requests that have been accepted. In this section it will be possible to change the expiration date of the accepted permission after which the permission will no longer be valid for that particular user. Example: if the expiration date is set to 05/08/2021, the user will no longer be able to access this path from 00:00:00 on 06/08/2021;
  • Not-granted: list of requests that have been refused.

Pannello richieste gestione permessi

Figure 27: Permission request management panel

Pagina report

This page is accessed once the REPORT button has been clicked on the Account, Manager and Tenant pages, or after clicking the icon Report , inside tables. The report panel represents the report for a particular user of a certain type.

The user can be:

The informations displayed in the table are:

  • Xff: Content of the X-Forwarded-For header or the IP address of the client or the last proxy that made the request;
  • Type: Operation type, it can be INFO, WARNING, ERROR;
  • Code: Identification code of the operation;
  • Context: Operation context;
  • Origin Url: If present, it indicates the URL that was requested before carrying out the operation. Example: I request a page protected by Oplon 2FA, I am redirected to the login page and I perform the login operation, this field will have the URL of the page I requested before logging in;
  • Description: Operation description;
  • Date: Date e hour of the operation.

You can export the report on PDF and CSV format clicking on Export button.

Pagina report

Figure 28: Report page

Use cases

Loss of smartphone

If your smartphone and therefore also its SIM card is lost, to be able to access again through Oplon 2FA with a new smartphone you must:

  1. Log in via browser indicating the email as the type of authentication;
  2. Reset the phone number with the new one;
  3. Download the Oplon 2FA app to the new smartphone;
  4. Once the app is open, you will be asked to register your smartphone indicating your username and password;
  5. Complete the registration.

Once these steps have been carried out, the smartphone that has been lost will no longer be able to access Oplon 2FA because the new registration will replace the old one (only a smartphone can be associated with your account).

Is it possible that the smartphone we lost will be able to register again and therefore have access to Oplon 2FA?

If all the steps listed above are followed, only our new smartphone will access to Oplon 2FA, in fact, having changed the mobile number, the OTC will be sent to the new number during the smartphone registration phase. Thanks to this step, if the old smartphone will try to register, a message with the OTC will arrive at the new number and therefore it will not be possible for it to complete the registration.

Changing the smartphone with new one

If we change our smartphone but the phone number remains unchanged, to be able to log in again through Oplon 2FA with the new smartphone, we need to:

  1. Log in via browser indicating the email as the type of authentication;
  2. Download the app on the new smartphone;
  3. Once the app is open, you will be asked to register your smartphone indicating your username and password;
  4. Complete the registration.

As explained in the paragraph Loss of smartphone, the old smartphone will no longer be able to access to Oplon 2FA.