Jump to content

Two Factor Authentication (2FA) and LabVIEW


Recommended Posts

Has anyone dealt with integrating with 3rd party two factor authentication systems (e.g. Google Authenticator, Authy, Microsoft Authenticator)? I've searched around and found some information about Oauth 1.0a here but I'm not sure that is much help. 

The use case is an operator wanting to trigger an action that is approved by a supervisor on a mobile device. Offline authentication would be very helpful too.

Link to comment

I looked at it briefly a while ago and came to the conclusion that it is really a stateful HTTP protocol framework. The underlying cryptographics are very simple (in 2.0) but there are a lot of HTTP states that are different for each method (6 methods in total with varying privlieges, IIRC). So you have to identify which method is being used then have an application go through the the appropriate HTTP process with various redirects.

This means that a complete LabVIEW library could be quite unweildy and confusing rather than just using basic HTTP GET/POST in an application to achieve the one instance you are interested in-especially as you may have to use another 3rd party JSON library for responses as the NI one is useless.

It's not difficult to create the HTTP messages, it's just the process logic is cumbersome. You can get away with a couple of HTTP POSTS and string stripping  if you want quick and dirty but for proper and secure, you need the full stateful operation.

  • Like 1
Link to comment
  • 2 weeks later...
On 10/5/2019 at 6:17 PM, Michael Aivaliotis said:

Can you describe the workflow? This doesn't seem to be a good solution on first blush.

Well, things have morphed a little and I may have been using some terms a bit freely. But for now I've been able to replicate the steps used in Google Authenticator for producing HMAC-based One-time Password algorithm (HOTP) with the help of this article as a starting pointThere's still plenty to work through, but I was unable to find this available for LabVIEW anywhere. Perhaps I may be mistaken and there are some more fully developed libraries out there. I would love to see those!

The workflow is basically that an operator needs to get approval from an administrator to proceed with the sequence. Well, needs to be forced to get approval. A TFA implementation along the lines of what Shaun mentioned that could trigger the authentication process by an HTTP message to an existing service might be a way to use an authenticator app without a code. Obviously I'm no web developer. E.g. attempt to log onto a dummy google account with TFA set up and refuse to proceed until the service says that the authentication was successful. This would be dependent upon the pre-configured app on the supervisor's mobile device acknowledging the log-in, then LV would log back out. Perhaps the wrong hammer for this screw?

Link to comment

I think I should point out the terminology here. 2FA is a method of authentication (are you who you say you are). Oauth is a method of authorisation (do you have permission). For the latter, authentication is achieved by a 3rd party and log-in credentials are never sent to the service requiring permission, rather, the service requests permission from the third party that has already assertained your identity-outsourced authentication.

On the surface it would seem OAuth is what you require but there is a caveat. Most systems around today are targeted towards gaining permission for an application to access a service. What would happen with OAuth is that you would add your application to the white list and the Adminstrator wouldn't have to press OK for your application at all. In fact. The service would think  you are the Adminstrator. I'm not sure that is what you want either.

Ignoring security for now...

What I think you are asking is just to have an entry in a database somewhere with a request and the Adminstrator updates the database with permission. So at the point where the Operator wants to proceed, the application put a request to the server which searches to see if the request already exists or inserts a new request in the database. The Adminstrator then sends a request to the server to allow or deny the permission and the server updates the database with the permission flag. The application then sends the request again and the server checks the database entry to see if the request was allowed. I'm obviously glossing over a lot here because you will have noticed that it requires the Adminstrator to know there was a request and the application to know the Adminstrator responded. But I think this is basically what you are asking for. No?

Edited by ShaunR
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.