In News, Product Releases, S-Filer/Portal

Using Multi-Factor Authentication (MFA) in S-Filer/Portal™ version 4.15.0.

 

Features

The latest available version of the S-Filer/Portal™ solution introduces multi-factor authentication (MFA) to the solution. The introduction of this new feature is not immediately apparent following the migration to version 4.15.0. Users will be able to continue using the application exactly as they did previously. The adoption model for MFA in the solution is individual and each user can decide whether they want to add this additional authentication step for added security. Once MFA is adopted by a user, the impact is felt across all communication protocols. The following sections illustrate these impacts.

 

Implementation of MFA

MFA is implemented via the solution’s user interface. Users wanting to take advantage of this feature can do so by enabling it through their profile screen. Starting with version 4.15.0, two new submenus are available: Multi-factor Authentication (MFA) and Access Tokens. When using the Multi-Factor Authentication (MFA) option, a window appears that allows users to configure MFA authentication using an “Authenticator App” on their phone (TOTP). You must use an application that supports TOTP such as Microsoft Authenticator or Google Authenticator (there are many other choices) to complete the implementation. Once the process is started, a QR Code will be displayed on the screen. The application you are using should allow you to scan the QR Code using the camera on your mobile device. Once scanned, a 6-digit numeric code will be displayed in the application interface on your mobile device. To complete the activation, enter the numeric code into the “Confirmation” box on screen. When MFA is activated, you will need to enter the 6-digit code from your authenticator application following successful password entry.

MFA Setup EN

It is also possible to generate an access token through the second sub-menu newly available in this version. An access token is an alternative to a regular password. Since it is generated randomly by the solution (instead of chosen by the user) and is very complex, it is considered more secure. This feature has been implemented so that applications that need to make automatic connections (such as Sanctum clients), which cannot require a second authentication factor, continue to work even if the user’s account is configured to require MFA. Thus the user can configure MFA on their account and use it when authenticating directly, but configure their applications to use authentication tokens and thus do authentications without MFA. Multiple access tokens can be added to a single account to allow each application to use a different token. If a token is compromised, it can quickly be repudiated by a user or system administrator.

Access-Token-Setup-EN

USING MFA IN THE WEB INTERFACE

When MFA is active on a user’s account and they use the web interface to login, the process will change only after successful password entry. In this case, an intermediate panel is presented that requires the user to provide a 6-digit code. The user must open their mobile authenticator application and select the entry that matches their S-Filer account to get the code they need to enter. If the code provided is right, the user will be redirected to the app pages. It should be noted that successive wrong MFA codes entered could lock the user’s account.

MFA-Web-Interface-EN

 

USING MFA WITH SFTP PROTOCOL

The introduction of MFA into the solution is not limited to the web interface. If a user profile is configured to use MFA with TOTP, then the 6-digit code will be required in SFTP transfers as well (provided of course that a password is used, as the use of an access token overrides the need to provide a second authentication factor). The user experience may vary depending on the client used. The functionality is available for both GUI and command line clients. You will need to configure your SFTP client to use “interactive” mode for login where username, password and MFA code will be requested successively during the login process.

SFTP MFA

The user experience in command line SFTP clients will be similar. Note that these tend to use interactive mode by default and will ask for username, password and MFA code successively.

MFA SCP

USING MFA WITH S-FILER COMAAND LINE TOOLS

The sfiler-cli and sfiler-admin-cli command line tools have also been modified to support MFA. In the case of sfiler-cli (a tool used to perform file transfers), if the user has MFA enabled, it will be necessary to provide the 6-digit code before the transfer starts. As with other clients and protocols in the solution, it is also possible to use access tokens as passwords with CLIs. When an access token is used, it is not necessary to provide the MFA code even if the user profile is configured to use it.

MFA SFILER-CLI

The sfiler-admin-cli will also require a 6-digit code if the user has enabled the feature in their user profile. New MFA management commands are also available with this new release that allow for MFA management:

  • add-auth-factor-access-token, which allows the creation of an access token for a user.
  • delete-auth-factor-access-token, which allows the removal of access tokens for a user.
  • delete-auth-factor-totp, which allows deleting MFA (TOTP) configuration for a user.
  • list-auth-factor-access-token, which allows to get the list of access tokens for a user.

Use the –help (-h) parameter to get the details of all possible parameters and options for each of the commands offered by the solution CLIs.

 

USING MFA WITH THE REST API

The REST API has been enhanced to provide the same functionality as the user interface. A series of new services are offered to manage MFA(TOTP) and access tokens. It is therefore possible to automate the configuration of users using the REST API. As with the entire REST API, you are encouraged to consult the documentation available directly from wour S-Filer instance:
https://[server_url]/sfiler/server/api/docs/

The auth services are intended to make authentication-related calls:

  • POST : /auth/change-password
  • POST: /auth/mfa/totp/validate-code

The users services are intended to enable authentication factor management for users:

  • POST : /users/{id}/auth-factors/access-tokens
  • GET : /users/{id}/auth-factors/access-tokens
  • DELETE: /users/{id}/auth-factors/access-tokens
  • GET: /users/{id}/auth-factors/access-tokens/{accessTokenId}
  • DELETE: /users/{id}/auth-factors/access-tokens/{accessTokenId}
  • POST: /users/{id}/auth-factors/totp
  • GET: /users/{id}/auth-factors/totp
  • DELETE: /users/{id}/auth-factors/totp
  • GET: /users/{id}/auth-factors/totp/{totpId}
  • DELETE: /users/{id}/auth-factors/totp/{totpId}
  • POST: /users/{id}/auth-factors/totp/{totpId}/complete

Leave a Comment

Start typing and press Enter to search