Two-Factor Authentication Setup Guide – Technical Blog Series
April 23, 2018
Today we’re going to walk you through two factor authentication and how we add it to our IoT solutions.
- Deploy custom logic to the Edge
- Real-time synchronization between Edge to Cloud
- SMS integration with Twilio
- SMS available phone number
- ClearBlade Sandbox Account (Create)/li>
1. The first place to start is by going to ClearBlade’s IoT Package Manager (IPM) and seeing what sort of integrations are ready to be used. You can see there is a “two-factor-auth” IPM package ready to go.
2. Click into the IPM and you’ll see in its general description that it is designed to be imported directly into your IoT platform. You’ll embed the solution by grabbing the URL: https://github.com/aallsbrook/two-factor-auth
3. In this case you’ll want to do a fresh install of the “two-factor-auth” system. Do this by clicking “Install”, pasting the solution URL and hitting “Fetch”. You can see all the assets are inside and then click Import.
4. Now that the system has been imported, you need to go back and see how you’re going to set this up. There are setup instructions in the IPM that you’ll follow. There are 4 basic steps:
A. Update the “ConstantsTwoFactorLibrary”.
B. Under “two-factor-auth” click “Code” select “ConstantsTwoFactor” and you’ll see a number of base parameters that you need to set up. The first is a platform URL. You can run the ClearBlade platform on any cloud or any on-prem. For this demo we are using our staging URL that is running on the cloud. Next you need to embed some Twilio parameters. Copy and paste these in from your personal Twilio account information. You can change the “SMS_MESSAGE” if you like. Then, click “Save”.
C. The next step is to run a code service called “SetupTwoFactorAuth” and modify a few constants at the top. Go back into the code for “two-factor-auth” and click “SetupTwoFactorAuth”. You’ll see 3 account passwords you’ll be creating along with a test user phone. For the demo we will leave the passwords alone, but you can change them if you you will need an active cell phone to receive test messages.
D. Now click “Save and Test”. This will run it as a developer. It is now creating these 3 users with 3 roles.
It will say “Success” in the popup window to show that the 3 users have been created.
5. Next, you’ll need to set the “runAs” user for the “authOverride” service to your “authOverrideAccount”. The ClearBlade platform lets you choose a service and in that service you can change what permissions it runs with.
6. By default it runs with the calling user, the user logged into the portal or the user at the API. You can change this default by clicking “Properties”, then by clicking on the wrench icon. In this case we want to accelerate the permissions to a higher authority, so we will be using authOverrideAccount@clearblade.com for our demo. We are doing this since we will be changing the user permissions and looking at collections we want to keep private to prevent outside access to the assets the service will be running on.
7. Last, configure the “authOverride” service for the system. This will configure the system to have all authentication requests go through a specific service. Click “System Settings” then “Access” and under “Auth Service” you can choose “authOverride” then click “Save”.
Now every authentication request for every user will go through this piece of logic. It will have to pass information about what phase it is in including if it is confirmation code. It will implement the two factor lifecycle. There are more things beyond an SMS confirmation code that you can configure such as time, GPS coordinates, and more to authorize or reject end users.
8. The configuration is set up, so the next thing to do is test it in the portal. Open the portal in an incognito window. By default ClearBlade doesn’t push the system keys into each portal. You can copy and paste them by clicking “Info” then “System Settings”. You can override this and hardcode them if you want or need to later on.
9. Enter in the username and password then click “Submit”.
10. The next page will ask you for a confirmation code which will be sent to the phone number you entered earlier. Now enter the numerical code that was sent to you.
You will now see the guaranteed factor ID that grants the portal the confirmation code.
If you want to see the process happening behind the scenes go to “data” and click on “TwoFactorAuthTokens”. Here you can see the collection of codes under “sms_code (string)” including the one that was just sent. You can also see it is pending the success of the confirmation code before granting the final “auth_token”.