| Page Properties | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...
I would like to give as much flexibility as possible to the users and system administrator to allow for a flawless authentication without much hassle - we would allow the system administrator to select the delivery method of the one time passwords. Currently it is planned to support delivery via SMS / Email but the system should be made so it could be easily extended to support time-based one-time passwords(RFC 6238).
Project details
Two-factor authentication workflow
User authenticates via basic auth / Oauth2
If successful, field(“isTwoFactorAuthenticationRequired”) indicates whether 2FA is enabled
If 2FA is enabled, the client sends a request to get a list of available delivery methods to authenticated user(see Getting a list of delivery methods)
The client sends a request to to generate & send OTP via their selected method(see Requesting OTP)
OTP token is generated and saved in-memory
Token is sent via SMS/Email bridge
Information returned: OTP delivery method, delivery destination(email / phone number), OTP validity period
User has at most one active OTP request. If another OTP is requested, all previous OTP requests are invalidated
User receives token and the client sends it to an endpoint to validate it (see Validating OTP)
If token is valid and hasn’t expired
Information returned: access token, access token expiry time
User sends the access token as a header(Fineract-Platform-TFA-Token) on every request
User is allowed to have multiple two-factor access tokens:
Can support multiple devices
- Client invalidates access token on logout / session end.(see Invalidating Access Token)
Fineract Implementation Details
...
| Name | Type | Default Value | Description | Notes |
|---|---|---|---|---|
| otp-delivery-sms-enable | boolean | true | Whether to enable the email delivery method | Email delivery uses Email External Service configurations for mail sending. Please configure SMTP details before using email OTP delivery. See External Services. |
| otp-delivery-email-subject | string | Fineract Two-Factor Authentication Token | Email subject - supports template data | |
| otp-delivery-email-body | string | Hello {{username}}.\n\nYour OTP login token is {{token}}. | Email body - supports template data | |
| Sms | ||||
| otp-delivery-sms-enable | boolean | false | Whether to enable the email delivery method | SMS OTP delivery requires messaging gateway and SMS external service configured. |
| otp-delivery-sms-provider | int | 1 | SMS provider ID | |
| otp-delivery-sms-text | string | Your authentication token for Fineract is {{token}}. | SMS text - supports template data | |
| Tokens | ||||
| otp-token-length | int | 5 | character length of the OTP | |
| otp-token-live-time | int | 300 | validity time of the OTP request in seconds | |
| access-token-live-time | int | 86400 | validity time of standard access token in seconds | |
| access-token-live-time-extended | int | 604800 | validity time of extended access token in seconds | |
Message parameters support template data. List of supported template parameters:
- username, email, mobileno(if user has mobileno)
- firstname, lastname
- token, tokenlivetime
- requestdate, requesttime
- expiredate, expiretime
API Endpoints
There are 3 endpoints that serve two-factor authentication requests:
...
| Example Request | Example Response |
|---|---|
POST /api/v1/twofactor/validate?token=YYYYY Arguments:
| |
Invalidating Access Token
| Anchor | ||||
|---|---|---|---|---|
|
Invalidates an active access token.
Requires fully authenticated user.
| Example Request | Example Response |
|---|---|
POST /api/v1/twofactor/invalidate | |
| Anchor | ||||
|---|---|---|---|---|
|
...