What is that
Two-factor authentication (2FA) is a security tool according to which the user is required to provide two different uthentication factors to verify your identity. It is used to make it safer access to any type of resource with which we have the opportunity to interact: websites and web services, financial or bank accounts, doors or gates of apartments and offices, e any service that needs strong authentication.
Why use it
Most websites still rely on the good old method authentication username & password, which is among the worst possible techniques to protect our data.
Here is a list of reasons why this method shouldn't no longer be used:
- The theft of credentials (or the fraudulent obtaining of "weak" credentials) they are the favorite weapons of hackers, used in 95% of all attacks on websites and web services;
- Password theft is constantly evolving thanks to the use, by hackers, of tools such as keylogging, phishing, pharming and so on, which in recent years they have become increasingly accessible, widespread and easy to use;
- The vast number of passwords we have to use (and memorize) in our daily life
(personal + corporate) pushes users and employees to perform many unsafe behaviors,
- Use of easy-to-remember (and therefore weak) passwords;
- Saving of credentials in browsers / navigation devices used;
- Storing passwords in unsafe places (post-its, paper sheets, text files).
While most of these threats can be mitigated by using a strong password, the real weakness of this approach is that it only provides one level of protection from a possible unauthorized access, this means that a single mistake on our part is enough to allow an attacker to have unauthorized access to our data.
To access any digital system (computer, ATM, website or other) we will first have to introduce ourselves by entering our username, then we will have to prove that it is us and this is it the authentication phase which can take place in three different ways:
- Something you know: includes all kinds of passwords, PINs, combinations, keywords etc;
- Something you own: includes any physical object such as smartphone, token, app etc;
- Something We Have: Includes everything that is part of the human body and can be used to confirm the identity of a person such as fingerprints, voice recognition, facial recognition etc.
In many cases, authentication takes place with only the password: this is one-factor authentication. Instead, we speak of 2FA if at least two of the three factors listed above are used.
In order to access the resources protected by Oplon 2FA, you must register through the appropriate page registration via browser and then download the application on our smartphone and register it by entering the data just registered.
Registration from the browser
To access the registration page, simply make a request to a resource protected by 2FA. Once we have been redirected to the login page, just click the REGISTER button.
Figura 1: Login page
We enter all the required data, including email and telephone number e click on continue.
Figura 2: Registration page
At this point we will be sent two codes, which we will call OTC (One Time Code). One code will be sent to the email, the other code to the telephone number we have previously entered. Once the codes have been received, simply enter them in the appropriate inputs. This step is very important because it allows you to verify that the email and mobile number are actually ours. Then click on the CHECK button.
Figura 3: Data verification page
If the two OTC are entered beyond a certain time limit, registration will not be possible. If so, just click on the two buttons REEND EMAIL and REEND SMS in order to receive two new codes that can be entered again to validate the registration.
If the two codes are correct, we will display a registration confirmation page.
Figura 4: Confirmation page registration
Registering your mobile device
In the sms received during registration, there are two links to download the Oplon2FA app: one for iOS and one for Android. Once Oplon2FA is installed on our smartphone and opened, the app will recognize that our device has not yet been registered by showing us the registration screen. The data are those we used during registration via the browser, enter them and click on Register.
Figura 5: App registration
OTC code will be requested, sent by text message to our mobile number.
Figura 6: Check app
Once you have successfully registered, we will be redirected to the app home.
Figura 7: Home app
Once the registration is completed, it will be possible to access your personal area and make requests for permission to access certain resources / paths protected by Oplon 2FA, which must then be accepted by the domain manager, whom we will call Tenant, to whom you is requesting permission.
In order to access a certain resource/path, just make a request via browser, for example https:/ domain/resource and we will be redirected to the Oplon 2FA login page. We enter the data with which we registered and press the LOGIN button. At this point we will be shown a page that awaits login authorization through our mobile phone.
Figura 8: Waiting for app authorization
All we have to do is open the app and click on Check requests. The app will check if there are any active login requests e it will show us the current one plus various information. To confirm login, just click on the Yes, grant access button.
Figura 9: Access permission
The browser will be redirected to:
Resource: if we have permission to access it;
Account page: if you do not yet have the permissions to access it. In this case there are two possibilities:
The permission does not exist: a notification appears in which it describes that the manager has not yet created a permission rule for the resource we have requested;
Figura 10: Non-existent permission for the resource
Permission exists: A notification appears through which we can request permission for the resource we have requested by simply clicking on the button REQUEST PERMISSION. The manager will then have to accept our request and only when it has been accepted, requesting the same resource https://domain/resource and logging in again, can we access it.
Figura 11: Request permission
This section describes the structure and functions of the Oplon 2FA administration panel.
This is the page that is viewed by any user who has registered with Oplon 2FA.
Figura 12: Accaunt page
The first panel displays some information about your account: username, phone number and email. It is also possible to change all these data using the appropriate buttons. The only data that cannot be changed is the username. As for the email and telephone number, during the reset, an OTC code will be sent for the respective reset, which must then be entered in the appropriate input to verify that the email / telephone is actually owned by us.
The Permissions panel displays the list of domains to which we can access at least one resource.
Figura 13: User permissions panel
In the Permissions requests panel, all the permission requests we have made are displayed. There are 3 types of views that are located to the right of the search bar of this panel:
- Pending: (default) list of requests that have been made but not yet accepted / rejected;
- Granted: list of requests that have been accepted;
- Not-granted: list of requests that have been refused.
This page belongs exclusively to the domain manager, who has the ability to create and manage manager roles.
Figura 14: Tenant page
In this panel the Tenant can create a role by clicking on the green + button and entering:
- Role: name that uniquely identifies the role;
- Description: role description.
Once a role has been entered, it is possible to modify its description by clicking on the pencil icon or to delete it by clicking on the trash can icon.
Figura 15: Role management
In this panel the Tenant can add a domain that he manages by clicking on the green + button and entering:
- Domain: domain name;
- Description: domain description;
- Activation code: it is used to verify that the Tenant is the person who actually manages that domain. The code entered must be the same as the code of the rewrite header rule inserted in Oplon ADC.
Once a domain has been entered, it is possible to modify its description by clicking on the pencil icon or to delete it by clicking on the trash can icon.
Figura 16: Domain management
Manage roles domains
In this panel the Tenant can associate a role to a domain by clicking on the green + button and entering:
- Role: name that uniquely identifies the role;
- Domain: domain name.
Once a domain-role has been entered, it is only possible to delete it by clicking on the trash can icon.
NB: A role can manage multiple domains.
Figura 17: Role-domain management
Manage users roles
In this panel the Tenant can associate a user to a role by clicking on the green + button and entering:
- Username: username;
- Role: name that uniquely identifies the role.
At this point, the user to whom a role has been associated will have the possibility to access an additional page to manage the permissions and requests for the domain permissions associated with that role. Once a user-role has been entered, it is only possible to delete it by clicking on the trash can icon.
Figura 18: User-role management
This page is accessible only to users who have been enabled by the Tenant to manage permissions and requests for permissions for a certain domain.
Figura 19: Manager page
This panel shows the list of domains for which you have management permission.
Figura 20: Permissions list panel
In this panel the manager can create a list of permissions for certain paths of a certain domain by clicking on the green + button and entering:
- Domain: domain for which you want to add a permission;
- Description: permission description;
- Code: name that uniquely identifies the permission (the only special characters allowed are "_" and "-");
- Regex: regular expression that defines the match rule of the domain path;
- Order: path verification order (the permission with the highest number will be considered first, the lowest number will be considered last).
Figura 21: Permissions management panel
Once you have entered a permit, you have the option to change its description, regular expression and order by clicking on the pencil icon or to delete it by clicking on the trash can icon.
please note: to be able to remove a permission, there must be no requests for permissions for that domain.
Manage permissions requests
In this panel the manager will display the list of requests for permissions made by users. There are 3 types of views that are located to the right of the search bar of this panel:
- Pending: (default) list of requests that have been received but not yet accepted / rejected;
- Granted: list of requests that have been accepted. In this section it will be possible to change the expiration date of the accepted permission after which the permission will no longer be valid for that particular user. Example: if the expiration date is set to 05/08/2021, the user will no longer be able to access this path from 00:00:00 on 06/08/2021;
- Not-granted: list of requests that have been refused.
Figura 22: Permission request management panel