Multi Factor Authentication

[urayoan]

Hello everyone. Any ideas or maybe APIs to implement two factor authentication in NetTalk web applications?

Sadly, this needs to be an alternative to SECWIN


Thanks in advance

[Niels Larsen]

Hi
I send an sms to the registered user with a 5 digit code which is used for validation.
I use Vonage API (formerly Nexmo) - it's cheap and very easy to use.

      net.SetAllHeadersDefault()
      net.SetContentType('form')
      net.SetValue('api_key','xxxxxxxx')
      net.SetValue('api_secret','xxxxxxxxxxxxxxxx')
      st.SetValue(clip(pText))
      st.ToUnicode(st:EncodeUtf8,st:CP_WINDOWS_1258)

      net.SetValue('text',st.GetValue())
      net.SetValue('from','Bazic Validation')
      net.SetValue('to',pNummer)
      net.Post('https://rest.nexmo.com/sms/json')

[urayoan]

Thank you very much Neils. I will check

Hi
I send an sms to the registered user with a 5 digit code which is used for validation.
I use Vonage API (formerly Nexmo) - it's cheap and very easy to use.

      net.SetAllHeadersDefault()
      net.SetContentType('form')
      net.SetValue('api_key','xxxxxxxx')
      net.SetValue('api_secret','xxxxxxxxxxxxxxxx')
      st.SetValue(clip(pText))
      st.ToUnicode(st:EncodeUtf8,st:CP_WINDOWS_1258)

      net.SetValue('text',st.GetValue())
      net.SetValue('from','Bazic Validation')
      net.SetValue('to',pNummer)
      net.Post('https://rest.nexmo.com/sms/json')

[Bruce]

hi Ura,

So second factor breaks down to a number of steps;

a) User identifies themself (presumably on the login screen)
b) create a second factor token for them (ie some code). Ideally store the token with some sort of timeout, and of course make sure it's single-use
c) send the token to the user (sms / email / whatever)
d) allow the user to enter the token onto the login screen, along with the user name and password.

Cheers
Bruce

[urayoan]

Thank you Bruce. That would help too.

hi Ura,

So second factor breaks down to a number of steps;

a) User identifies themself (presumably on the login screen)
b) create a second factor token for them (ie some code). Ideally store the token with some sort of timeout, and of course make sure it's single-use
c) send the token to the user (sms / email / whatever)
d) allow the user to enter the token onto the login screen, along with the user name and password.

Cheers
Bruce

[rjolda]

Hi,
What I do is create a temporary login record with the required code and set the time - in a file that is used only for these temporary logins.
I send the code to the user either by sms to cell phone or by E mail to their registered address.
I then have them enter their login and capture that and look at the temporary login record for their name and they enter the required code. I make sure that it is the appropriate code and make sure that the elapsed time from initial record write is <= 10 min.  If all OK, then log them in.  If not, then ask them if they want to get another temporary code and write a new record to the temporary login file.....can track number of login attempts and lock out user if you want!

C_RST           FILE,DRIVER('TOPSPEED'),NAME(rstname),PRE(CRT),CREATE
GUI_KEy           KEY(CRT:guid),PRIMARY,NOCASE !guid key
ACT_KEY           KEY(CRT:acct_ihid),DUP,NOCASE !on acct No
record            RECORD
guid                CSTRING(80)
tdate               LONG
oprator             CSTRING(20) !operator
statuscd            BYTE
tmstamp             LONG !time stamp
email_addr          CSTRING(140) !e mail address
acct_ihid           LONG
place_from          CSTRING(20) !coming from AREG, PROVIDER, ADMINS, ACCTLOG
acct_path           CSTRING(150) !path for acct
Login_name          CSTRING(50) !this is the user login name
loginID             SHORT !this is the login ID for this logon
other1              CSTRING(20)
other2              CSTRING(20)
                  END
                END

Here is some code that I use if the user wants to reset their password - could be the same if they want a code...
Make_EMAIL   ROUTINE 
 !message('making E mail')
  If Access:C_RST.PrimeAutoInc() = Level:Benign
        CRT:guid =  st5.Random()  ! 16 chars by default.
        CRT:statuscd = 0  ! nothing done yet
        CRT:tdate = TODAY()
        CRT:oprator = 'LOGINACCT'
        CRT:tmstamp = clock()
        CRT:email_addr = p_web.GSV('userEmail') ! BAL:L_Email ! lookup
        CRT:acct_ihid =  p_web.GSV('userID') !loc:acct
        CRT:place_from = 'WebLOGINACCT'
        CRT:acct_path = GLO:currPath !  BAR:base_dir
        CRT:Login_name = p_web.GSV('usrlogin') ! user name  login name
        CRT:loginID = p_web.GSV('userID')! acctlog IHID
        CRT:other1 = 'TO BE SENT'
        CRT:other2 =''!
        CRT:person_name = p_web.GSV('usrname')  ! this is their actual name 
        CRT:acct_type = p_web.GSV('LoginFrom')  ! should be A or P
       
       
        access:C_RST.Insert()
        !do SEND_MAIL
        !we need to start a new process to send E Mail on its own thread!!!!
     
        start(SENDEMAIL,25000,CRT:guid)  ! we send the IHID as a string so E Mail will send only this one
    ELSE
        ! message('Could NOT add record to RESET Queue')
       
       
        If Access:C_ERRS.PrimeAutoInc() = Level:Benign
                         CEE:Proc_name = 'APWEB'
                        CEE:Pt_account =  ''
                        CEE:Bus_Acct =  loc:acct
                        CEE:error_no = 30
                        CEE:err_msg = 'Could not write record to PW reset Q: ' & BAL:L_Email
                        CEE:err_level = 6
            CEE:err_text = 'RESET PW ERROR write to file C_RST'
            Access:C_ERRS.Insert()
        !    p_web.CloseFile(C_ERRS)
        END ! If Access:C_ERRS.PrimeAutoInc() = Level:Benign
       
   
   end   ! If Access:C_RST.PrimeAutoInc

Hopefully that gives you some insight.
FWIW,
Ron Jolda

[urayoan]

Thank you very much Ron!