Security
      Back to home
      1. Knowledge Base
      2. Technical Area
      3. Security

      2 Factor Authentication

       

      Applies to:

      OneVu Customer Service and OneVu Control

      eGovHub Portal

      BlueBadge Back office

      CHC Back office and assessments

       

      The IEG4 Two Factor Authentication allows for a user to verify their identity by providing SMS & Authenticator app verification. The user can enter their phone number to receive a verification code via SMS, or can either scan a QR code in an authenticator app or enter a text based code into the app.

      The SMS Code is a random 6 digit number which sent via SMS allows the user to type in the code via the Web UI. the Authenticator Apps use a Time-based One-time Password algorithm that allows a recognisable QR code and text string code to be generated.

      When the SMS code is generated it is hashed and stored as the hashed string so administrative users cannot have access to the code data. When the user enters the code from the SMS the entered code is hashed and compared with the code stored in the database. If the two match then the user is authenticated via Microsoft identity and is allowed to continue to the Web UI that they were visiting.

       

      The authenticator app verification passed the entered code into a Time-based One-time Password algorithm, this uses the 30 second time window to verify that the code provided matches one that is generated by the algorithm, if the two match and the algorithm passes then the user is authenticated via Microsoft identity and is allowed to continue to the Web UI they were visiting.

       

      The IEG4 Two Factor interface allows the users to log in using their credentials, they are then redirected to a page that provides a choice as to which authentication mechanism they want to use. Either SMS or Authenticator App. On selecting SMS, if the user does not already have a phone number stored it prompts them to enter one. If a phone number is already present then this step is skipped and at this point an SMS is sent with a created code which is hashed and stored in the database. The site then redirects the user to a page allowing them to enter the code. Once this form is submitted if there is a match then the user is authenticated and allowed access.

       

      On selecting Authenticator, the user is redirected to a page showing the QR code and the text based code which is provided in case they do not have the ability to scan a QR code but still have the app. The user should scan the QR code or enter the text based code into the authenticator app. This will create a response code that the user can enter into a form, on entering the code if the code entered is verified by the Time-based One-time Password algorithm the user is authenticated and allowed access.

       

      If during the confirmation there is a no match at any stage, the user is informed and the authentication process restarts