2FA using Own Development in NodeJS
2FA: In a previous article, we talked about Swivel as an external tool to integrate our applications into Scriptcase, however, it is likely that it is possible to have a less robust application such as its own development.
In this example, an application was developed in NodeJS a system of double authentication where not only can have double authentication through an OTC (On Time Code) (Soft Token) but also with a device (Hard Token), in this case in particular that of the FIDO family of FEITIAN (https: //www.ftsafe.com/products/FIDO). In the case of OTC, this could be generated for example with Google Authenticator.
This document focuses on how Scriptcase uses those services. This implementation, although it was its own, special care was taken in the interfaces, for this reason, they were clearly documented for each of these options, PHP,.Net and Angular.
In the PHP documentation, we were given the following information:
auth2factor PHP Integration SDK
- sudo apt-get install php5-curl
- sudo apt-get install composer
Use Firebase JWT to sign HMAC. If you do not use Composer, copy the JWT Firebase libraries to your solution.
Setup hostname, API key, and secret
$HOST = “https://localhost”;
$API_KEY = “…”;
$API_SECRET = “…”;
$a2f_client = new auth2factor($HOST, $API_KEY, $API_SECRET);
Returns a temporary login token. Used to request an OTC/U2F verification.
$tokens = $a2f_client->delegate(“firstname.lastname@example.org”);
$req_token = $tokens[“x-app-sign-request”];
$u2f_req = $tokens[“x-u2f-sign-request”];
Verifies OTC. Returns a bearer token, otherwise false.
$sid = $a2f_client->validate_otc(“…temporary token”, “001122”);
Verifies U2F. Returns a bearer token, otherwise false. Must be called once successfully signed with u2f.sign.
$client_data = “eyJ0eXAiO…”;
$signature_data = “AQAAADUw…”;
$sid = $a2f_client->validate_u2f(“…temporary token”, $client_data, $signature_data);
Requests a U2F challenge to initiate key registration.
$challenge = $a2f_client->request_challenge(“a valid bearer token”);
Registers a U2F security key. Must be called once u2f.register returns successfully.
$client_data = “eyJ0eXAiO…”;
$registration_data = “AQAAADUw…”;
$a2f_client->register_key(“a valid bearer token”, $client_data, $registration_data);
FIDO U2F – Enrollment
One time authenticated, the user login in a configuration of the account in the solution and offereted a user enroll a key.
- Give a U2F challenge: API request_challenge
- Call a library client u2f.register with a challenge and call request sign
- If proceed to join the key
- If stores the successful confirmation in register_key.php: API register_key
FIDO U2F – Authentication
If the user has registered keys in the domain where he was authenticated in the 1st step.
- Get a set of sign requests
- Call client library u2f.sign with the sign requests and request sign
- We proceed to enter the key
- It is validated in sign_key.php and gets a bearer token: API validate_u2f
Include minified library
- Axios para AJAX / REST axios.min.js
- Axios config axios-config.js
- U2F u2f-api.js
- U2F utils u2f-utils.js
Based on the above, it was analyzed and defined the next Macro Algorithm, so the program should:
- Define connection parameters.
- With the user logged on the 1st authentication (email), it connects to the server to request a Token.
- Upon receipt of the Token, the OTC is requested from the user.
- The OTC is sent.
- The response is received if the second authentication is authorized or not.
- If successful, redirect the application to the Menu
I wish you served these 3 articles of this interesting topic of 2FA, and whatever the method to use don’t forget to always review the documentation, make tests and finally implement it in Scriptcase.
Check out more articles on our blog!