2FA - Two Factor Authentication

What is that

Two-factor authentication (2FA) is a security tool according to which the user is required to provide two different uthentication factors to verify your identity. It is used to make it safer access to any type of resource with which we have the opportunity to interact: websites and web services, financial or bank accounts, doors or gates of apartments and offices, e any service that needs strong authentication.

Why use it

Most websites still rely on the good old method authentication username & password, which is among the worst possible techniques to protect our data.

Here is a list of reasons why this method shouldn't no longer be used:

  • The theft of credentials (or the fraudulent obtaining of "weak" credentials) they are the favorite weapons of hackers, used in 95% of all attacks on websites and web services;
  • Password theft is constantly evolving thanks to the use, by hackers, of tools such as keylogging, phishing, pharming and so on, which in recent years they have become increasingly accessible, widespread and easy to use;
  • The vast number of passwords we have to use (and memorize) in our daily life (personal + corporate) pushes users and employees to perform many unsafe behaviors, For example:
    • Use of easy-to-remember (and therefore weak) passwords;
    • Saving of credentials in browsers / navigation devices used;
    • Storing passwords in unsafe places (post-its, paper sheets, text files).

While most of these threats can be mitigated by using a strong password, the real weakness of this approach is that it only provides one level of protection from a possible unauthorized access, this means that a single mistake on our part is enough to allow an attacker to have unauthorized access to our data.

Authentication factors

To access any digital system (computer, ATM, website or other) we will first have to introduce ourselves by entering our username, then we will have to prove that it is us and this is it the authentication phase which can take place in three different ways:

  1. Something you know: includes all kinds of passwords, PINs, combinations, keywords etc;
  2. Something you own: includes any physical object such as smartphone, token, app etc;
  3. Something We Have: Includes everything that is part of the human body and can be used to confirm the identity of a person such as fingerprints, voice recognition, facial recognition etc.

In many cases, authentication takes place with only the password: this is one-factor authentication. Instead, we speak of 2FA if at least two of the three factors listed above are used.

Registration

In order to access the resources protected by Oplon 2FA, you must register through the appropriate page registration via browser and then download the application on our smartphone and register it by entering the data just registered.

Registration from the browser

To access the registration page, simply make a request to a resource protected by 2FA. Once we have been redirected to the login page, just click the REGISTER button.

Pagina di login

Figura 1: Login page

We enter all the required data, including email and telephone number e click on continue.

Pagina di registrazione

Figura 2: Registration page

At this point we will be sent two codes, which we will call OTC (One Time Code). One code will be sent to the email, the other code to the telephone number we have previously entered. Once the codes have been received, simply enter them in the appropriate inputs. This step is very important because it allows you to verify that the email and mobile number are actually ours. Then click on the CHECK button.

Pagina di verifica dati

Figura 3: Data verification page

If the two OTC are entered beyond a certain time limit, registration will not be possible. If so, just click on the two buttons REEND EMAIL and REEND SMS in order to receive two new codes that can be entered again to validate the registration.

If the two codes are correct, we will display a registration confirmation page.

Pagina di conferma registrazione

Figura 4: Confirmation page registration

Registering your mobile device

In the sms received during registration, there are two links to download the Oplon2FA app: one for iOS and one for Android. Once Oplon2FA is installed on our smartphone and opened, the app will recognize that our device has not yet been registered by showing us the registration screen. The data are those we used during registration via the browser, enter them and click on Register.

Registrazione app

Figura 5: App registration

OTC code will be requested, sent by text message to our mobile number.

Verirfica app

Figura 6: Check app

Once you have successfully registered, we will be redirected to the app home.

Home app

Figura 7: Home app

Authentication

Once the registration is completed, it will be possible to access your personal area and make requests for permission to access certain resources / paths protected by Oplon 2FA, which must then be accepted by the domain manager, whom we will call Tenant, to whom you is requesting permission.

Permission request

In order to access a certain resource/path, just make a request via browser, for example https:/ domain/resource and we will be redirected to the Oplon 2FA login page. We enter the data with which we registered and press the LOGIN button. At this point we will be shown a page that awaits login authorization through our mobile phone.

Autorizzazione app

Figura 8: Waiting for app authorization

All we have to do is open the app and click on Check requests. The app will check if there are any active login requests e it will show us the current one plus various information. To confirm login, just click on the Yes, grant access button.

Permesso di accesso

Figura 9: Access permission

The browser will be redirected to:

  • Resource: if we have permission to access it;

  • Account page: if you do not yet have the permissions to access it. In this case there are two possibilities:

    • The permission does not exist: a notification appears in which it describes that the manager has not yet created a permission rule for the resource we have requested;

      Permesso inesistente per la risorsa

      Figura 10: Non-existent permission for the resource

    • Permission exists: A notification appears through which we can request permission for the resource we have requested by simply clicking on the button REQUEST PERMISSION. The manager will then have to accept our request and only when it has been accepted, requesting the same resource https://domain/resource and logging in again, can we access it.

      Richiesta di permesso

      Figura 11: Request permission

Administration panel

This section describes the structure and functions of the Oplon 2FA administration panel.

Account

This is the page that is viewed by any user who has registered with Oplon 2FA.

Pagina Account

Figura 12: Accaunt page

Reset

The first panel displays some information about your account: username, phone number and email. It is also possible to change all these data using the appropriate buttons. The only data that cannot be changed is the username. As for the email and telephone number, during the reset, an OTC code will be sent for the respective reset, which must then be entered in the appropriate input to verify that the email / telephone is actually owned by us.

Permissions

The Permissions panel displays the list of domains to which we can access at least one resource.

Pannello permessi utente

Figura 13: User permissions panel

Permissions requests

In the Permissions requests panel, all the permission requests we have made are displayed. There are 3 types of views that are located to the right of the search bar of this panel:

  • Pending: (default) list of requests that have been made but not yet accepted / rejected;
  • Granted: list of requests that have been accepted;
  • Not-granted: list of requests that have been refused.

Tenant

This page belongs exclusively to the domain manager, who has the ability to create and manage manager roles.

Pagina tenant

Figura 14: Tenant page

Manage roles

In this panel the Tenant can create a role by clicking on the green + button and entering:

  • Role: name that uniquely identifies the role;
  • Description: role description.

Once a role has been entered, it is possible to modify its description by clicking on the pencil icon or to delete it by clicking on the trash can icon.

Gestione ruoli

Figura 15: Role management

Manage domains

In this panel the Tenant can add a domain that he manages by clicking on the green + button and entering:

  • Domain: domain name;
  • Description: domain description;
  • Activation code: it is used to verify that the Tenant is the person who actually manages that domain. The code entered must be the same as the code of the rewrite header rule inserted in Oplon ADC.

Once a domain has been entered, it is possible to modify its description by clicking on the pencil icon or to delete it by clicking on the trash can icon.

Gestione domini

Figura 16: Domain management

Manage roles domains

In this panel the Tenant can associate a role to a domain by clicking on the green + button and entering:

  • Role: name that uniquely identifies the role;
  • Domain: domain name.

Once a domain-role has been entered, it is only possible to delete it by clicking on the trash can icon.

NB: A role can manage multiple domains.

Gestione ruoli-domini

Figura 17: Role-domain management

Manage users roles

In this panel the Tenant can associate a user to a role by clicking on the green + button and entering:

  • Username: username;
  • Role: name that uniquely identifies the role.

At this point, the user to whom a role has been associated will have the possibility to access an additional page to manage the permissions and requests for the domain permissions associated with that role. Once a user-role has been entered, it is only possible to delete it by clicking on the trash can icon.

Gestione utenti-ruoli

Figura 18: User-role management

Manager

This page is accessible only to users who have been enabled by the Tenant to manage permissions and requests for permissions for a certain domain.

Pagina manager

Figura 19: Manager page

Permissions

This panel shows the list of domains for which you have management permission.

Pannello lista permessi

Figura 20: Permissions list panel

Manage permissions

In this panel the manager can create a list of permissions for certain paths of a certain domain by clicking on the green + button and entering:

  • Domain: domain for which you want to add a permission;
  • Description: permission description;
  • Code: name that uniquely identifies the permission (the only special characters allowed are "_" and "-");
  • Regex: regular expression that defines the match rule of the domain path;
  • Order: path verification order (the permission with the highest number will be considered first, the lowest number will be considered last).

Pannello gestione permessi

Figura 21: Permissions management panel

Once you have entered a permit, you have the option to change its description, regular expression and order by clicking on the pencil icon or to delete it by clicking on the trash can icon.

please note: to be able to remove a permission, there must be no requests for permissions for that domain.

Manage permissions requests

In this panel the manager will display the list of requests for permissions made by users. There are 3 types of views that are located to the right of the search bar of this panel:

  • Pending: (default) list of requests that have been received but not yet accepted / rejected;
  • Granted: list of requests that have been accepted. In this section it will be possible to change the expiration date of the accepted permission after which the permission will no longer be valid for that particular user. Example: if the expiration date is set to 05/08/2021, the user will no longer be able to access this path from 00:00:00 on 06/08/2021;
  • Not-granted: list of requests that have been refused.

Pannello richieste gestione permessi

Figura 22: Permission request management panel