fineract-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Avik Ganguly <avikganguly...@gmail.com>
Subject Re: Two-Factor Authentication GSoC 2017 Clarification
Date Wed, 02 Aug 2017 14:18:11 GMT
+Mailing list

Hello everyone,

I am working with Alex on his two factor authentication proposal for
Fineract.
I will do a better introduction of my interactions with the Mifos community
in the future.

We were discussing the MPIN implementation for the android app last weekend
and we would like to get some clarity on some session management aspects;
i.e. whether the logout API / inactive session expiry features did not get
built intentionally or whether it is an outstanding requirement. Right now
I believe the logout button in the community app deletes the basic auth key
/ oauth token / 2fa token from the root scope / local storage.

I am not sure whom to loop in this mail from the android app side.

Regards,
Avik.

On Wed, Aug 2, 2017 at 8:05 AM, Nayan Ambali <nayan.ambali@gmail.com> wrote:

> Alex,
>
> I agree with Ed. It is a financial system, security always comes first
> then convenience and usability.
>
> -
> Nayan Ambali
>
> On 02-Aug-2017 6:00 AM, "Ed Cable" <edcable@mifos.org> wrote:
>
>> Hi Alex,
>>
>> As far as I saw it, the remember-me is just for the second factor.
>>
>> Ed
>>
>> On Tue, Aug 1, 2017 at 12:23 PM, Alex Ivanov <alexivanov97@gmail.com>
>> wrote:
>>
>>> Hi Nayan and Ed,
>>>
>>> I hope you two are going well.
>>>
>>> After a meeting between Avik and I we couldn't clarify one of the
>>> requirements of the two-factor project. We weren't sure whether the
>>> remember-me feature would apply for both first and second factor
>>> authentication or only the second authentication would be bypassed.
>>>
>>> In general if remember-me applies for the two-factor auth only, the
>>> authentication workflow is as follows:
>>>
>>> 1. User authenticates with basicauth / oauth
>>> 2. Extended access token is generated(following the TFA workflow)
>>> 3. Client saves the access token, preferably encrypting it with the
>>> username & password of the user
>>> 4. On consecutive logins, after authenticating with basicauth / oauth
>>> user is not prompted for TFA authentication, the access token is reused.
>>>
>>>
>>> Thanks,
>>> Alex
>>>
>>
>>
>>
>> --
>> *Ed Cable*
>> President/CEO, Mifos Initiative
>> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>> <+1%20484-477-8649>
>>
>> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
>> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
>>
>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message