two-factor authentication

bwalujo · May 7, 2020, 8:10pm

Hi, has anyone implemented two-factor authentication in scriptcase? I’m already using the LDAP security module. I’d like to add another layer of security, in my case, using a service such as google authenticator or https://duo.com

Thank you

aducom · May 7, 2020, 9:04pm

Yes, I have created an option of sending an email with an additional code, and connected a login to a service provider that sends sms text. In general it’s not that difficult as you can integrate api’s pretty easy…

bwalujo · May 7, 2020, 9:04pm

yes, I think I overthink the whole thing at first. I managed to get it done by adding a blank application and utilizing external libraries.

jamieO · May 7, 2020, 9:04pm

Hi bwalugo, any chance of sharing, am curious to know what you set as an alternative

bwalujo · May 7, 2020, 9:04pm

sure, I’m using duo (https://duo.com/docs/duoweb)

here’s a pseudocode explanation of the setup:

I set up a simple control application, basically to duplicate a login form. In events - onValidateSuccess, you put a code sc_redir to a blank application.
I also set up external libraries (tools >> external libraries), I put the duo library here.

here’s how I set up the blank application, in onExecute:

define all the duo keys
define duo host
sc_include_library() - this is to pull in the duo library I set up in external libraries
check if $_POST duo response is set
if set, verify the response,
if success, continue to protected content.
if fail, do nothing or you can redirect back to login page
if not set, display duo iframe

I hope that helps, shoot me a message if you need more details.

quality · May 7, 2020, 9:08pm

Hello bwalujo,
Can you explain and show me some code to implement duo on scriptcase?

thank you

quality · May 7, 2020, 9:08pm

Hello,

I have a problem, when run the blank aplication with duo code works fine but if I run from app_login appears a invalid data error.

Can you help me?

bwalujo · May 7, 2020, 9:08pm

Hi there, basically I created a blank application with all the duo post code, I also used sc_include_library() for the duo website (I think this was the code, https://github.com/duosecurity/duo_php)

A snippet of the code in my duo blank application:


if (isset($_POST['sig_response'])) {
    $resp = Duo\Web::verifyResponse(IKEY, SKEY, AKEY, $_POST['sig_response']);
    if ($resp === [user]) {
        sc_redir('menu');
    }
}

I redirect to this duo blank application from onValidateSuccess event in app_login.php

quality · May 7, 2020, 9:08pm

Finally it worked by activating the direct call by url in the blank application.
Thanks

robydago · May 7, 2020, 9:08pm

Did you guys manage to authenticate users via automatic push notification to smartphones?
I.e. prompt users to approve or deny the login request with a simple tap or fingerprint on the smartphone.
I have a working implementation of a two-factor authentication using TOTP (not with DUO) that must be manually read on the smartphone and inserted on my application login page, but I’d really like to use push notifications