Hello,
I have not gone through User Security Manager and its documentation **yet **but I've been asked to add Two Factor Authentication to our webconnection application, and preferably by sending code to smart phones, all new to me!
Would you please let me know if this is something practical and if there's any guidance on how to start and implement?
Thank you in advance,
Kathy
There's no native support for two-factor auth in Web Connection or the User Security manager. Setting up two factor auth requires a separate validation mechanism and some sort of service that can send SMS messages (or possibly using an auth service like Microsoft Authenticator or Authy).
I would be careful about going down the SMS path because there serious privacy issues involved and I think in the next few years using SMS as a verification mechanism is going to likely go away because of it.
If you do go down this route it might be worthwhile to look into some of the authentication services that are available like Auth0 but even with a service like this the process is very complex.
Unfortunately I don't have a good answer for you - authentication is something that is difficult to do on any platform and especially on FoxPro because we don't even have the basic infrastructure built in. Web Connection provides all the HTTP basics needed, but we don't have all the oAuth functionality for token processing and the back and forth flow of callback messages that are required. It's possible but it's a lot of code that needs to be manually written and figured out.
I personally have not done this with Web Connection. I have with .NET and even with the infrastructure built-in it was not an easy task...
+++ Rick ---
Thank you so much for your precious advice.
I know it's way above me now but I'm asking this to answer my curiosity, so is it possible to go for oAuth and .Net approach and some how add the feature to the webconnection application using the magic of wwDotNetBridge?
Hi again Rick,
I'm just back from FoxCon where I heard about U2F and its libraries for the first time.
I know this may sound too much but would you see any possibility of adding it (or something similar to it) to Webconnect in future?
Or I'm way off 😃
Thanks,
Kathy
This standard is very new and there are very few tools available to work for it to date. I think only Chrome currently supports the hardware interfaces to USB keys and honestly I don't see this having a large impact any time soon. I took a quick look at the libraries available to do this, and they are super low level server implementations that deal with device level interfaces. In order to do this in Web Connection some sort of interface library would be required.
So the short answer is - no this won't become part of Web Connection unless it becomes a lot more popular with better library support from bigger server framework vendors.
+++ Rick ---
Sorry for this late reply.
Thank you so much for looking into it and letting us know.
Kathy
I just happened to see this thread as I was looking for ways to do 2FA form within VFP code. Here's one way to do it: https://www.tek-tips.com/faqs.cfm?fid=7888
Another way by using the (excellent) Chilkat library: https://www.example-code.com/foxpro/google_authenticator_algorithm.asp
Both approaches work. The additional code you need to write is the part where you capture and store Google Authenticator's secret key, but that's pretty trivial.
Happy authenticating!
Thank you so much for the helpful information.
I will definitely look into both approaches as they sound promising and useful for many cases.
Regards,
Kathy
Thanks to Rick and Pertti for the hints and links.
I would appreciate any ideas on this.
So, I'm thinking of calling Google Authenticator API for creating individual RQcode and asking the user to register it on the phone and then validating the autogenerated verification code/s received on the phone, again by the API call.
Best,
Kathy
Hello Rick,
I apologize to bug you for this again but would you please take a look at the message above?
Any idea of yours would be much appreciated.
Thanks,
Kathy
Sorry I don't have any more help I can give on this... nothing else I can add to this conversation.
+++ Rick ---
My apologies for this Rick.
I think the amazing wwHTTP is already working nicely with Google Authenticator app APIs.
Looks like a promising solution for my current need.
Thanks to you and wonderful West Wind tools,
Kathy
Maybe when you get it working you can share it with the rest of us 😄
Write it up in Markdown Monster (or other Markdown Editor) and paste it into a message here.
+++ Rick ---
Thank you for taking your time looking into this.
I know this is probably not one of the best options but if you say it could be considered and that I'm not way off, it'll be good enough for now.
I'm afraid I've not been lucky enough to learn more about Markdown yet but here I can share parts of my sandbox in FoxPro format.
The example below should work on your phones (I hope).
The idea came after seeing this page: http://authenticatorapi.com and the 2 API calls for paring and validating.
So, I'm thinking of creating a unique QRcode for each user by calling the first API and then send it to them during the user setup, so I think this could be a one time setup for each user (please correct me if you think I'm wrong).
In the example below I assume I'm sending the QRcode in a Html format and they can scan it after clicking on the "Pair" button:
*************************************************
*** 2FA Test - Create a unique QRcode for each user ***
*************************************************
DO wwHttp
lcPairingResult = ""
lcValidationRe1sult = ""
lcUser = "John_Smith" && Could be user full name for instance.
lcUserID = "0000000001" && Unique ID
lcUserSecretKey = "0%$secret@#$" && Could be also unique
lcSecretCode = lcUserSecretKey + lcUserID && Unique for each user.
cOldSetSafety = SET("SAFETY")
SET SAFETY OFF
lcParingUrl = "https://www.authenticatorApi.com/pair.aspx" + "?AppName=My_Application&AppInfo=My Application for_" + lcUser + "&SecretCode=" + lcSecretCode
loHTTP=CREATEOBJECT("wwHttp")
loHttp.cHttpVerb = "GET"
loHttp.nHttpPostMode = 4
loHttp.cContentType = "application/x-www-form-urlencoded"
loHttp.addheader("Cache-Control","no-cache")
lcPairingResult = loHTTP.HTTPGet(lcParingUrl)
TEXT TO lcQRcode_Pairing
<!DOCTYPE html>
<html>
<title>W3.CSS</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="https://www.w3schools.com/w3css/4/w3.css">
<body>
<div class="w3-container">
<h2>W3.CSS Modal</h2>
<button onclick="document.getElementById('Modal_Pairing_div').style.display='block'" class="w3-button w3-black">Pair</button>
<div id="Modal_Pairing_div" class="w3-modal">
<div class="w3-modal-content">
<div class="w3-container">
<span onclick="document.getElementById('Modal_Pairing_div').style.display='none'" class="w3-button w3-display-topright">×</span>
<p> <<lcPairingResult>> </p>
</div>
</div>
</div>
</div>
</body>
</html>
ENDTEXT
lcQRcode_Pairing = TEXTMERGE(lcQRcode_Pairing)
= STRTOFILE(lcQRcode_Pairing, "D:\QRcode_Pairing.html",.F.)
SET SAFETY &cOldSetSafety
*** Now show QRcode.html to the user for scanning by phone.
RETURN
So, they need to install Google Authenticator App on their phones and then register my app by scanning their unique QRcode which could be done by adding account in Google Auth. like this:
and then clicking on the "Pair" button on their html page and scannig:
The app should be registered for this specific user on his phone (I hope) and if he clicks on at any given time, he's provided with a verification code that is valid for a limited time.
So, from my application side, I should also be able to ask the user to enter a verification code at any give time:
and then I can validate it by calling the second API while lcPin is the verification code entered by the user and of course the lcSecretCode should be exactly the same that was used for pairing this user:
*************************************************
*** 2FA Test - Validate the entered verification code ***
*************************************************
lcValidationUrl = "https://www.authenticatorApi.com/Validate.aspx" + "?Pin=" + lcPin + "&SecretCode=" + lcSecretCode
lcValidationResult = loHTTP.HTTPGet(lcValidationUrl)
Return lcValidationResult && Returns either True or False
If the validation result is True the user can move on through my application and vice versa.
So, would you think if this approach could be a valid option?
I was also thinking of Duo, Twilio, etc. but this one seems to be easier to use.
But as always, I would appreciate any correction or suggestion.
Kathy