Dear Support,
Is it possible to use Two-Factor Authentication tools like "DUO", for the login validation when a user using the token sign-on method?
like the system will send the user a "push" validation when the user accesses the genie URL with a token. is it doable?
Best regards,
Duncan
PUISSOEXIT token signon
-
duncanchan0522
- New User
- Posts: 3
- Joined: Fri Jan 04, 2019 6:42 am
- First Name: Duncan
- Last Name: Chan
- Company Name: Universal Music Ltd
- Contact:
-
Scott Klement
- Experienced User
- Posts: 2711
- Joined: Wed Aug 01, 2012 8:58 am
- First Name: Scott
- Last Name: Klement
- Company Name: Profound Logic
- City: Milwaukee
- State / Province: Wisconsin
Re: PUISSOEXIT token signon
I have not used DUO.
I know that it is possible to use two-factor authentication... I've done it using plain green-screen techniques (such as routing entries.)
PUISSOEXIT allows you to write your own method of doing authentication. I'm having a hard time understanding how you'd use this for 2FA? Please remember that I'm not familiar with your code or your application. If I had to guess, you've written your own application (maybe a web app with something like Node.js PHP, CGIDEV2, or PUI's Universal Displays) that does the authentication and saves a secure token into a database, then launches PUISSOEXIT and passes the token to it, and your PUISSOEXIT reads that token? Is that right?
It seems like a lot of extra work if all you wanted was 2FA.
If it were me, I wouldn't use PUISSOEXIT for 2FA, I'd use a routing entry. That way the normal IBM i userid/password would still do the basic sign on, but you'd prompt for the 2FA code after they signed on (and disconnect them if they can't provide it.) This way you don't have to fool around with using PUISSOEXIT to bypass the signon.
I know that it is possible to use two-factor authentication... I've done it using plain green-screen techniques (such as routing entries.)
PUISSOEXIT allows you to write your own method of doing authentication. I'm having a hard time understanding how you'd use this for 2FA? Please remember that I'm not familiar with your code or your application. If I had to guess, you've written your own application (maybe a web app with something like Node.js PHP, CGIDEV2, or PUI's Universal Displays) that does the authentication and saves a secure token into a database, then launches PUISSOEXIT and passes the token to it, and your PUISSOEXIT reads that token? Is that right?
It seems like a lot of extra work if all you wanted was 2FA.
If it were me, I wouldn't use PUISSOEXIT for 2FA, I'd use a routing entry. That way the normal IBM i userid/password would still do the basic sign on, but you'd prompt for the 2FA code after they signed on (and disconnect them if they can't provide it.) This way you don't have to fool around with using PUISSOEXIT to bypass the signon.
-
duncanchan0522
- New User
- Posts: 3
- Joined: Fri Jan 04, 2019 6:42 am
- First Name: Duncan
- Last Name: Chan
- Company Name: Universal Music Ltd
- Contact:
Re: PUISSOEXIT token signon
Hi Scott,
Thank you for your quick response.
We have an authorization system that using Genie, RPG, javascript with normal IBM I user id /password basic sign-on, once a requestor submitted a request, the approver will receive an approval request email with a URL from the system.
We are thinking to add the token function to the approval email's URL, the approvers can easier access the system without sign-on with user id and password, however, there are security issues if anyone who got the URL will be able to access it with the approver identity. 2FA is the one that we are considering, do there are any proper ways to secure the log-on token procedure?
Best regards,
Duncan
Thank you for your quick response.
We have an authorization system that using Genie, RPG, javascript with normal IBM I user id /password basic sign-on, once a requestor submitted a request, the approver will receive an approval request email with a URL from the system.
We are thinking to add the token function to the approval email's URL, the approvers can easier access the system without sign-on with user id and password, however, there are security issues if anyone who got the URL will be able to access it with the approver identity. 2FA is the one that we are considering, do there are any proper ways to secure the log-on token procedure?
Best regards,
Duncan
-
Scott Klement
- Experienced User
- Posts: 2711
- Joined: Wed Aug 01, 2012 8:58 am
- First Name: Scott
- Last Name: Klement
- Company Name: Profound Logic
- City: Milwaukee
- State / Province: Wisconsin
Re: PUISSOEXIT token signon
It sounds like you have a very customized setup, it is different from anything I've done before.
Off the top of my head, I think I'd make it work like this:
With a system like this it would be important for PUISSOEXIT to only allow the auth token to be used one time. After that, they'd need to get a new one... otherwise, someone could still use an old token to login.
Off the top of my head, I think I'd make it work like this:
- Your custom auth program would create the key and put it into a database on IBM i. (Or some similar mechanism, but would mark it with a special code that means "You must do 2FA before using this." The PUISSOEXIT would understand not to allow these codes until the 2FA is done.
- The e-mail does not link directly to Genie, but links to a custom program. This custom program does the 2FA process, and if all is well, it can change the database to say that the auth code is now available.
- The same program from step 2, will send a redirect to cause the browser to go to Genie with the auth token.
- If all is well, PUISSOEXIT will let the user in.
With a system like this it would be important for PUISSOEXIT to only allow the auth token to be used one time. After that, they'd need to get a new one... otherwise, someone could still use an old token to login.
Who is online
Users browsing this forum: No registered users and 3 guests