GAM - Two-Factor Authentication

Official Content
This documentation is valid for:

It is possible to authenticate and verify, in a second step, the user who is trying to log in. This is known as Two-Factor Authentication, 2FA, and 2-Step Verification (2SV).

2FA is commonly used when a password or username is entered and a second validation step is performed by sending an email or SMS as a way to mitigate brute force attacks.

The second-factor authentication can only be OTP verification, including OTP Custom.

How does it work?

To improve security, the user is required to validate twice before accessing. The first step involves entering a username and password, and the second step performs another validation (like the one mentioned before).

In both cases, in a web or mobile app, when the user has this functionality enabled, every time the user logs in has to follow two steps. This means that while logging in, the user has to successfully pass the second factor to keep logged on the app.

Considerations

Two-Factor Authentication can be configured with the following authentication types: OTP, Local, Custom, WebService, GAMRemoteRest.

Steps to set up Two-Factor Authentication

In this example, Local Authentication is set as the first-factor authentication, and OTP is the second-factor authentication.

  • Step 1: Add the second-factor authentication by choosing OTP. Read this documentation to fully understand OTP configuration.

In order to use OTP only as second-factor authentication, the checkbox "Use For First Factor Authentication?" must be kept unchecked.

image_2021621112024_1_png

  • Step 2: In this example, the first-factor authentication is going to be Local. Local is the default authentication in GAM, so you have to edit it.

image_2021621125416_1_png

In the edit form of Local Authentication, the check box "Enable Two Factor Authentication?" has to be selected.

In the "Authentication Type Name" Combo Box, choose the OTP that was added in step 1.

The checkbox "Force 2FA for all users?" is selected. This option sets 2FA for all the users in the application.

image_2021621122057_1_png

By selecting the checkbox "Force 2FA for all users?" in the first-factor authentication, every user of the app is set with the "Enable two-factor authentication?" checkbox selected.

If you do not select "Force 2FA for all users?", you must select the "Enable two-factor authentication?" checkbox in the settings of every user that you want to use 2FA.

image_2021621122842_1_png

2FA properties

Besides the configuration shown above, 2FA properties can also be set in the GeneXus IDE. For this, you will have to refer to the properties by the following names:

  • &AuthenticationTypeLocal.TwoFactorAuthentication.Enable
  • &AuthenticationTypeLocal.TwoFactorAuthentication.AuthenticationTypeName
  • &AuthenticationTypeLocal.TwoFactorAuthentication.FirstAuthenticationFactorExpiration (seconds): Numeric 9. Default = 900.
  • &AuthenticationTypeLocal.TwoFactorAuthentication.ForceForAllUsers: If set to false, every user can enable this.
  • &UserEnableTwoFactorAuth = Boolean (allows null)

Availability

Since GeneXus 17 upgrade 5