Enhanced authentication allows additional controls to be added to the user authentication process. It can be used to implement security policies such as two factor authentication, or to provide additional controls over aspects such as devices in use and time of day.
Enhanced authentication executes a node to run additional processing when the user signs in, and uses this to control the sign in process. The node should have anonymous execute authority. Set the account property Enhanced authentication node to this node.
The execution of the enhanced authentication node is passed the following XML parameters.
|User logon reference of user being authenticated.
A JSON string containing with information about the user's browser. It contains multiple properties.
The authentication script should return an XML response.
If the user is authorised, return an errorNumber of 0. Optionally, return a "ttl" value, which is the number of seconds for which the authorisation is valid. This is used to cache the authorisation for API calls. The default is 3600, i.e. one hour.
If the user is not authorised, return an error number of 101. Return a "redirect" parameter which redirects the user to a page where they can complete the authentication, for example by entering a code emailed to them.
Standard enhanced authentication product
The standard Enhanced authentication product implements two-factor authentication based on the user's email address. It applies authentication per device, and is parameterised by time periods since the last sign in or since the last authorisation.
You can install the product using the installer at Enhanced authentication.
If you need more features, this product would provide a good base for further customisation.
Web service users
The enhanced authentication is used for web service access. Where web services are called from the browser as part of a user session, this is transparent to the user.
Where web services are used for integration, not using a browser, the enhanced authentication will still apply, and is likely to cause problems. To overcome this, implement an exception within the enhanced authentication node for these users. The standard enhanced authentication product provides this feature.