GSoC 2017 - Two-Factor Authentication

Target release
Project status	COMPLETED
Document status	DRAFT
Document owner	Alex Ivanov

Overview

The goal of the project is to implement Two-Factor authentication for Fineract and add support for 2FA to the community-app and the Android client. With two-factor authentication enabled the system administrator will have the ability to configure how one time passwords are sent to the user - either via Email or SMS. The integration of two-factor authentication would improve the security of Fineract and its users.

During the project I will implement support for two-factor authentication into Fineract. The workflow of the process of generating and using one time passwords is described below. The existing supported front-end application(the community-app and the Android app) will be updated to support 2FA.

I would like to give as much flexibility as possible to the users and system administrator to allow for a flawless authentication without much hassle - we would allow the system administrator to select the delivery method of the one time passwords. Currently it is planned to support delivery via SMS / Email but the system should be made so it could be easily extended to support time-based one-time passwords(RFC 6238).

Project details

Two-factor authentication workflow

User authenticates via basic auth / Oauth2
If successful, field(“isTwoFactorAuthenticationRequired”) indicates whether 2FA is enabled
If 2FA is enabled, the client sends a request to get a list of available delivery methods to authenticated user(see Getting a list of delivery methods)
The client sends a request to to generate & send OTP via their selected method(see Requesting OTP)

OTP token is generated and saved in-memory
Token is sent via SMS/Email bridge
Information returned: OTP delivery method, delivery destination(email / phone number), OTP validity period
User has at most one active OTP request. If another OTP is requested, all previous OTP requests are invalidated

User receives token and the client sends it to an endpoint to validate it (see Validating OTP)

If token is valid and hasn’t expired
Information returned: access token, access token expiry time

User sends the access token as a header(Fineract-Platform-TFA-Token) on every request
User is allowed to have multiple two-factor access tokens:
1. Can support multiple devices
Client invalidates access token on logout / session end.(see Invalidating Access Token)

Fineract Implementation Details

Enabling Two-Factor Authentication

Two-Factor Authentication can be enabled by adding an active twofactor profile to Fineract(e.g. in application.properties or with a start parameter). -Ptwofactor=enabled parameter can be used with Gradle build job.

Bypassing two-factor authentication

Users that are granted the BYPASS_TWOFACTOR can bypass two-factor authentication. The permission has to be granted explicitly. User with ALL_FUNCTIONS permission but without BYPASS_TWOFACTOR would still be required to authenticate.

Configuration

Delivery methods and token parameters are configurable. Configuration is done via the configuration endpoint.

List of configuration parameters:

Name	Type	Default Value	Description	Notes
Email
otp-delivery-sms-enable	boolean	true	Whether to enable the email delivery method	Email delivery uses Email External Service configurations for mail sending. Please configure SMTP details before using email OTP delivery. See External Services.
otp-delivery-email-subject	string	Fineract Two-Factor Authentication Token	Email subject - supports template data
otp-delivery-email-body	string	Hello {{username}}.\n\nYour OTP login token is {{token}}.	Email body - supports template data
Sms
otp-delivery-sms-enable	boolean	false	Whether to enable the email delivery method	SMS OTP delivery requires messaging gateway and SMS external service configured. See Message Gateway Configuration - using a twilio account, SMS Campaigns.
otp-delivery-sms-provider	int	1	SMS provider ID
otp-delivery-sms-text	string	Your authentication token for Fineract is {{token}}.	SMS text - supports template data
Tokens
otp-token-length	int	5	character length of the OTP
otp-token-live-time	int	300	validity time of the OTP request in seconds
access-token-live-time	int	86400	validity time of standard access token in seconds
access-token-live-time-extended	int	604800	validity time of extended access token in seconds

Message parameters support template data. List of supported template parameters:

username, email, mobileno(if user has mobileno)
firstname, lastname
token, tokenlivetime
requestdate, requesttime
expiredate, expiretime

API Endpoints

There are 3 endpoints that serve two-factor authentication requests:

/twofactor - OTP operations
/twofactor/validate - access token generation
/twofactor/configure - configuration

Getting delivery methods

Returns a list of possible OTP delivery methods for the current user

Requres first-factor authenticated user.

Example Request	Example Response
GET /api/v1/twofactor	`[ { "name": "sms", "target": "08888888888" }, { "name": "email", "target": "user@example.com" } ]`

Requesting OTP

Requests an OTP.

Requres first-factor authenticated user.

Example Request Example Response

POST /api/v1/twofactor?deliveryMethod=sms&extendedToken=false

Arguments:

deliveryMethod(string) - name of delivery method
extendedToken(boolean) - optional, whether to request an extended token, default false

{
    "requestTime": 1500000000000,
    "tokenLiveTimeInSec": 300,
    "extendedAccessToken": false,
    "deliveryMethod": {
        "name": "sms",
        "target": "08888888888"
    }
}

Validating OTP

Validates an OTP. If the OTP is valid, an access token is created.

The returned access token is later sent as a header Fineract-Platform-TFA-Token.

Requres first-factor authenticated user.

Example Request Example Response

POST /api/v1/twofactor/validate?token=YYYYY

Arguments:

token(string) - mandatory, the OTP to validate

{
    "token": "cb0bb6e33fc540709d50a16eb2e555f9",
    "validFrom": 1501530702801,
    "validTo": 1501617102801
}

Invalidating Access Token

Invalidates an active access token.

Requires fully authenticated user.

Example Request Example Response

POST /api/v1/twofactor/invalidate

{
    "token": "fa368f984b0d4e96a73ea57dca4e110d"
}

{
    "resourceIdentifier": "fa368f984b0d4e96a73ea57dca4e110d"
}

Get configuration settings

Returns all two-factor configuration settings.

Requires fully authenticated user.

Example Request Example Response

GET /api/v1/twofactor/configure

    "otp-delivery-email-body": "Hello {{username}}.\n\nYour OTP login token is {{token}}.",
    "otp-delivery-sms-enable": true,
    "otp-delivery-sms-provider": 6,
    "otp-delivery-email-subject": "Fineract Two-Factor Authentication Token",
    "otp-token-length": 5,
    "access-token-live-time-extended": 604800,
    "otp-delivery-email-enable": true,
    "otp-token-live-time": 300,
    "otp-delivery-sms-text": "Your authentication token for Fineract is {{token}}. das",
    "access-token-live-time": 86400
}

Update two-factor configuration settings

Update two-factor configuration.

Requires fully authenticated user.

Example Request Example Response

POST /api/v1/twofactor/configure

{
    "otp-delivery-sms-provider": 7
    "otp-delivery-sms-enable": false
}

{
    "changes": {
        "otp-delivery-sms-enable": false,
        "otp-delivery-sms-provider": 7
    }
}

Timeline

Phase 1: May 30 - June 26
Fineract: 2FA Configuration OTP generation & verification services
Evaluation 1: June 26 - June 30
Phase 2: June 30 - July 24
Fineract: OTP request & validation endpoint GUID generation 2FA Filter	Community-app, android-app: Add 2FA login support 2Fa configuration support in the community-app
Evaluation 2: July 24 - July 30
Phase 2: July 30 - August 21/29
Fineract: Documentation access token invalidation endpoint Work on time-based 2fa(optional)	Community-app, Android client: Remember me functionality