Data privacy and content security are in high demand especially in domains like Government, corporate and legal sectors. But security issues should not forbid people from using latest technologies. While dealing with documents a proper collaboration is needed along with tight security. So Alfresco the sturdy Document Management System along with providing all latest collaboration facilities has introduced the Two Factor Authentication to enhance the document security.
So what is the concept of two factor authentication?
Most of the systems in the name of security have a username and password. But in today’s era where the rate of cyber crime victims touches 1.5 million per day it is very difficult to feel secure with your data with this single password system. As per the research people choose a password which can be hacked in a jiffy. So suddenly your so called secure system does not remain so secure any more. Security must have something in it which you are in possession of for example the ATM cards we use these days to withdraw money… there is a card and there is a pin/ password. So even if the hacker has your passcode he doesn’t have your card or the vice-versa is true.
Talking about Alfresco two factor authentication it can be either done using:
1. Google authentication.
2. With Yubikey.
1. How Google Authentication Works?
- User first needs to register a 16 character long string (let’s refer it as “Secret-Key” ) with Google Authentication app in his/her device. This Secret-Key gets associated with the user account in Alfresco Share.
- When Alfresco asks for the verification code, user needs to look into the app and have to provide the 6 digit numeric code (let’s refer it as“Verification-Code”) which are generated in the app.
- On the form submission, Verification-Code provided by the user gets verified on basis of associated Secret-Key.
How 2FA is embedded with Alfresco Share?
To implement two factor authentications you can use filters. You can also extend the default login controller provided by the Alfresco Share.
Following steps are encountered by a login request initiated by any user:
- 1. User makes request for the login page.
- 2. This request is identified as login page request by the filter (TwoFactorAuthenticationFilter.java) and forwarded to its destination.
- 3. User enters the login credentials and submits the form.
- 4. Login form submitted request is forwarded to the controller by the filter.
- 5. As login controller(LoginController.java) is extended , it gets the login done by the parent controller(i.e. default of share) after that, it extracts the information to identify if two factor authentication is enabled for the current user profile or not.
- 6. If the 2FA is enabled, information saying “TwoFactorAuthenticationPassed” as “false” is set in the session.
- 7. On the other hand, if 2FA is disabled, information saying “TwoFactorAuthenticationPassed” as “true” is set in the session. (As for this case we do not require to verify).
- 8. After this login controller redirects the user to its home.
- 9. The redirected request encounters the custom filter. Now filter identifies that it’s not a login request then filter checks for the value of attribute “TwoFactorAuthenticationPassed” in the session.
- 10. If the value of “isTwoFactorAuthenticationPassed” is “false” then user gets redirected to the “2fa-login” page (To complete second step of 2fa).
- 11. On the “2fa-login” page, user is asked for the “Verification-Code”, user provides this code and clicks verify.
- 12. Now request comes back to filter and filter identifies it as verification login request and forwards it to the controller (TwoFactorLoginController.java).
- 13. This controller extracts the user object from the session, gets the “Secret-Key” related to the user and finally verifies the “Verification-Code” along with the “Secret-Key” and accordingly sets the session attribute “TwoFactorAuthenticationPassed” and redirects the request to user dashboard.
- 14. On the other hand, if value of “TwoFactorAuthenticationPassed” is “true” then filter forwards the request to its destination.
2. With Yubikey.
Yubikey is basically a device which is used to generate OTP (One time password). It is a small device which is plugged into the USB port and it generates a onetime password. So in addition to your usual username and password you have an extra security feature and you are in possession of this device which makes the security even stronger. So after submitting the username and password you need to enter the one time password while logging in – and subsequently the OTPs are validated by the Yubico servers.
When we switch to this kind of process of using a key like this, it enhances security to a much greater extent. Because it is now no longer possible to log in just using a username and password. On an additional note, each key is associated with a particular user account – the extension takes utmost care of this – so it’s not possible to use any key you want. The user has to use the key that has been uniquely assigned to him for the purpose of logging in.
So this concept of two factor authentication makes your system a lot more stronger and reliable. It keeps the security restricted to your device that you are in possession of, as it is impossible to login and access your documents without the key or the device. Alfresco is one of the top document management system and this rocking feature of two factor authentication provides sturdy security which is the icing on the cake.
You can also check: Why Publishing Companies Should Use Alfresco?
References: