fineract-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Avik Ganguly <avikganguly...@gmail.com>
Subject Re: Offline Mode working in Coordination with Two Factor Authentication Changes to Apache Fineract
Date Mon, 09 Oct 2017 06:36:35 GMT
Hi Mohit,

I hope you had a great hackathon experience this weekend. Documenting some
of the details of our discussion from last week.

Please address the breaking changes in the offline schema like the code for
client creation which you mentioned has issues. Apart from that, I was
unable to figure out the targeted scope of the project by searching it's
corresponding requirement document / functional spec in JIRA but it's
unclear to me whether a flow like center / group creation followed by
client and loan creation was targeted as part of the scope. Can you point
me to a document regarding same?

Once the module is brought to some logical conclusion and the PR is sent
for the core intended functionality, introduce and use offline access flag
at user level to allow Risk to control this mode being used only on need
basis. The following security features can be added as well.

I am not aware of any highly secure way of authenticating offline but a
"basic" offline security implementation I have seen for mobile devices is
to allow the user to set a 6-digit MPIN for the day before going offline
which is stored in memory after encrypting with symmetric key. On
inactivity based auto-logout or re-opening the application, user is
prompted for the MPIN which is validated against the saved MPIN. Since
these devices are usually hardened using software like Airwatch, access to
the offline database is not fret upon.

In a browser however, the data is accessible easily but unauthorized access
is much less likely. The same PIN based approach can be implemented. On
reaching max retries for the PIN, the offline data can be purged. An
additional layer can be provided which uses a public key to encrypt PII
(personally identifiable information) in local schema (Customer name, date
of birth, mobile no, address line one) and decrypt these fields in online
mode when syncing back.

The above does not have anything to do with 2FA or Oauth security modes
though other than re-using the public key in case of encrypting PII.

Regards,
Avik.



On Mon, Oct 9, 2017 at 10:51 AM, Mohit Bajoria <mohitbajo36@gmail.com>
wrote:

> Hello Ed,
>
> Yes! I had a call with Avik last week, Avik is going to update a write up
> on the flow of offline process.
>
> Regards
> Mohit
>
> On 9 October 2017 at 06:46, Ed Cable <edcable@mifos.org> wrote:
>
>> Mohit,
>>
>> Have you had a chance to connect with Avik yet? Can you please keep the
>> whole community updated? There is great anticipation around this project as
>> we've been waiting for it for two years now :)
>>
>> Ed
>>
>> On Wed, Sep 27, 2017 at 10:20 AM, Avik Ganguly <avikganguly010@gmail.com>
>> wrote:
>>
>>> Hi Mohit,
>>>
>>> Let me know when it's a good time to discuss the concerns that "a user
>>> can no
>>> longer log in while offline and offline transaction entry isn't
>>> supported either".
>>>
>>> You can reach me over phone / Whatsapp at 9900878571.
>>>
>>> If you prefer Skype, send me a calendar invite at your preferred time
>>> anytime in the evening post 7 PM.
>>>
>>> Regards,
>>> Avik.
>>>
>>> On Tue, Sep 26, 2017 at 4:06 AM, Ed Cable <edcable@mifos.org> wrote:
>>>
>>>> Avik, Alex, Mohit,
>>>>
>>>> I wanted to follow up on this as we have a number of community members
>>>> that are keen on using the offline mode in the browser and this is blocking
>>>> any further review of Mohit's work.
>>>>
>>>> Thanks,
>>>>
>>>> Ed
>>>>
>>>> On Tue, Sep 12, 2017 at 12:23 AM, Myrle Krantz <myrle@apache.org>
>>>> wrote:
>>>>
>>>>> There was a good talk on offline-first at Seville last year that
>>>>> introduced some technologies that might be helpful:
>>>>>
>>>>> https://feathercast.apache.org/2017/03/12/apachecon-seville-
>>>>> 2016-easy-offline-first-web-apps-with-pouchdb-electron-and-r
>>>>> eact-rod-cope/
>>>>>
>>>>> Greets,
>>>>> Myrle
>>>>>
>>>>> On Mon, Sep 11, 2017 at 6:59 PM, Ed Cable <edcable@mifos.org> wrote:
>>>>> > Avik and Alex,
>>>>> >
>>>>> > I wanted to get a discussion going with Mohit and the rest of the
>>>>> > community. He's trying to get his project for browser-based offline
>>>>> access
>>>>> > in Chrome to work (
>>>>> > https://gist.github.com/mbj36/105c47ccc10890cc4c71582ad63cff23)
but
>>>>> due to
>>>>> > the changes Alex had to make to authentication for 2FA, a user can
no
>>>>> > longer log in while offline and offline transaction entry isn't
>>>>> support
>>>>> > either.
>>>>> >
>>>>> > Avik - given your extensive experience in building offline
>>>>> solutions, I
>>>>> > hope you could give Mohit some guidance.
>>>>> >
>>>>> > We can set up a call at your convenience for Mohit to discuss where
>>>>> he's
>>>>> > running into roadblocks.
>>>>> >
>>>>> > Cheers,
>>>>> >
>>>>> > Ed
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> *Ed Cable*
>>>> President/CEO, Mifos Initiative
>>>> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>>>> <(484)%20477-8649>
>>>>
>>>> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
>>>> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
>>>>
>>>>
>>>
>>
>>
>> --
>> *Ed Cable*
>> President/CEO, Mifos Initiative
>> edcable@mifos.org | Skype: edcable | Mobile: +1.484.477.8649
>>
>> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org
>> <http://facebook.com/mifos>  <http://www.twitter.com/mifos>
>>
>>
>
>
> --
>
> *Regards*
> *Mohit Kumar Bajoria*
> *http://mohitbajoria.com <http://mohitbajoria.com>*
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message