PUISSOEXIT token signon

Use this board to ask questions or have discussions with other Genie users.
Post Reply
duncanchan0522
New User
Posts: 3
Joined: Fri Jan 04, 2019 6:42 am
First Name: Duncan
Last Name: Chan
Company Name: Universal Music Ltd
Contact:

PUISSOEXIT token signon

Post by duncanchan0522 »

Dear Support,

Is it possible to use Two-Factor Authentication tools like "DUO", for the login validation when a user using the token sign-on method?
like the system will send the user a "push" validation when the user accesses the genie URL with a token. is it doable?

Best regards,
Duncan
Scott Klement
Experienced User
Posts: 2711
Joined: Wed Aug 01, 2012 8:58 am
First Name: Scott
Last Name: Klement
Company Name: Profound Logic
City: Milwaukee
State / Province: Wisconsin

Re: PUISSOEXIT token signon

Post by Scott Klement »

I have not used DUO.

I know that it is possible to use two-factor authentication... I've done it using plain green-screen techniques (such as routing entries.)

PUISSOEXIT allows you to write your own method of doing authentication. I'm having a hard time understanding how you'd use this for 2FA? Please remember that I'm not familiar with your code or your application. If I had to guess, you've written your own application (maybe a web app with something like Node.js PHP, CGIDEV2, or PUI's Universal Displays) that does the authentication and saves a secure token into a database, then launches PUISSOEXIT and passes the token to it, and your PUISSOEXIT reads that token? Is that right?

It seems like a lot of extra work if all you wanted was 2FA.

If it were me, I wouldn't use PUISSOEXIT for 2FA, I'd use a routing entry. That way the normal IBM i userid/password would still do the basic sign on, but you'd prompt for the 2FA code after they signed on (and disconnect them if they can't provide it.) This way you don't have to fool around with using PUISSOEXIT to bypass the signon.
duncanchan0522
New User
Posts: 3
Joined: Fri Jan 04, 2019 6:42 am
First Name: Duncan
Last Name: Chan
Company Name: Universal Music Ltd
Contact:

Re: PUISSOEXIT token signon

Post by duncanchan0522 »

Hi Scott,

Thank you for your quick response.

We have an authorization system that using Genie, RPG, javascript with normal IBM I user id /password basic sign-on, once a requestor submitted a request, the approver will receive an approval request email with a URL from the system.

We are thinking to add the token function to the approval email's URL, the approvers can easier access the system without sign-on with user id and password, however, there are security issues if anyone who got the URL will be able to access it with the approver identity. 2FA is the one that we are considering, do there are any proper ways to secure the log-on token procedure?

Best regards,
Duncan
Scott Klement
Experienced User
Posts: 2711
Joined: Wed Aug 01, 2012 8:58 am
First Name: Scott
Last Name: Klement
Company Name: Profound Logic
City: Milwaukee
State / Province: Wisconsin

Re: PUISSOEXIT token signon

Post by Scott Klement »

It sounds like you have a very customized setup, it is different from anything I've done before.

Off the top of my head, I think I'd make it work like this:
  1. Your custom auth program would create the key and put it into a database on IBM i. (Or some similar mechanism, but would mark it with a special code that means "You must do 2FA before using this." The PUISSOEXIT would understand not to allow these codes until the 2FA is done.
  2. The e-mail does not link directly to Genie, but links to a custom program. This custom program does the 2FA process, and if all is well, it can change the database to say that the auth code is now available.
  3. The same program from step 2, will send a redirect to cause the browser to go to Genie with the auth token.
  4. If all is well, PUISSOEXIT will let the user in.
That's just off the top of my head, and I haven't thought about it too much. Obviously, you'd need to make sure you do serious testing to make sure there aren't any security flaws.

With a system like this it would be important for PUISSOEXIT to only allow the auth token to be used one time. After that, they'd need to get a new one... otherwise, someone could still use an old token to login.
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest