We recently implemented Two-Factor Authentication (2FA) in Alfresco for one of our customers. 2FA adds an extra security step to your login procedure. The default username and password is your single factor of authentication. The second factor is a token you receive by using your mobile phone or other mobile devices. Combining the username, password and token gives you access to your online Alfresco platform.

The Alfresco community offers a number of 2FA solutions.

Picture

These solutions are using a 2FA provider such as Authy. One of the benefits of using providers like these is the variety of authentication options you can choose from. You also get to choose the way you want to receive the token. Available options are by SMS, a phone call, mobile application or a separate hardware token. Currently, the SMS option is the most common method of delivering the 2FA token, for every mobile device (non-smartphone) is SMS capable. You may not realize this, but SMS is also the least secure way to deliver a token.

All these extra 2FA possibilities are great when using a 2FA provider, but it comes with a cost as well. We calculated the costs of some 2FA providers and we realized that it could be quite expensive depending on your service model and number of users. Therefore, we challenged ourselves to create a simple but effective 2FA solution. After some research, we found that we can use the Google Authenticator App as solution for providing the tokens.

How does it work?
Basically, we generate a QR image (token) by using the Google Charts API. You need to scan the QR image with the Google Authenticator App and it will show a 6-digit number that refreshes every 30 seconds. We use the Time-based One-Time Password (TOTP) algorithm to create this temporary 6-digit number.And how does it work in Alfresco?
The first step is to provide an extra input field in the login form. This can easily be done by extending the package root org.alfresco.components.guest.
<@markup id=”2fa” target=”fields” action=”after” scope=”global”>
<@uniqueIdDiv>
<#assign el=args.htmlid?html>
<div class=”form-field”>
<label for=”${el}-token”>${msg(“label.token”)}</label><br/>
<input type=”text” id=”${el}-token” name=”token” maxlength=”255″ />
</div>
</@>
</@>
After you added the extra input field, you need to extend the SlingshotLoginController class. Because you need to get the token parameter from the login form. You need to add some logic using the connectorService to connect to the backend API in which you validate the username in combination with the token.
Each user in Alfresco has a secret key which validates the 6-digit number. For the backend validation check, you can take a look at the Google Authenticator service side code on Github.After you implemented the token validation, you need to create an administrator page in order to manage the tokens. The following image is an example of how to manage tokens in Alfresco.

 

Picture

 

No third-party costs involved
We accomplished a 2FA mechanism without any use of a 2FA provider. Of course, the options in this scenario are limited, because you can only use the Google Authenticator mechanism. In the end, the percentage of smartphone users will continue to grow and therefore the need for SMS supported authentication will be less of a requirement in future time. This solution is a good alternative for companies that want to use an extra security layer for their public Alfresco platform without any third-party costs involved.The Google Authenticator App is free available for any smartphone (iPhone, Android or Microsoft).
Recent Posts

Start typing and press Enter to search