Two Factor Authentication (Users)

Here you can set up two-factor authentication (2FA) for this user. You need a license for this functionality.

This adds a second level of security, in addition to your login with your own credentials. In doing so, you use an external application (e.g. on your smartphone) that provides you with a code that you then enter when logging in after entering your credentials.

For this interaction between Lobster Integration and the external application to work, you need to create a one-time link between Lobster Integration and this external application. This works by exchanging a shared key (more about this below). No connection between Lobster Integration and the external application is necessary. The subsequent generation of the code in the external application and the verification of the code in Lobster Integration is based on mathematical algorithms.


images/download/attachments/137300769/1282-version-1-modificationdate-1683619450383-api-v2.png

General activation


For general activation, the following section must be entered/activated in the configuration file ./etc/startup.xml in the corresponding section for Lobster Integration (DataWizard) or/and DataCockpit (WebMonitor). Possible values: optional, mandatory, disabled.


<Set name="TFAHandling">optional</Set>

Activating handler


Next, a handler and a device must be entered/activated in the configuration file ./etc/auth.xml. Note: You can enter multiple DeviceTemplates.


<!DOCTYPE Configure PUBLIC
"-//Lobster//DTD Configure 1.0//EN"
"http://www.lobster.de/dtd/configure_1_1.dtd">
<Configure class="com.ebd.hub.services.auth.AuthenticationService">
 
...
 
<!-- add allowed two factor authentication handlers -->
<Call name="addTFAHandler">
<Arg>com.ebd.hub.services.auth.tfa.otpauth.TOTPHandler</Arg>
<Call name="addDeviceTemplate">
<Arg>GoogleAuthenticator</Arg>
<Arg>3</Arg>
<Arg>30</Arg>
<Arg>6</Arg>
<Arg>HmacSHA512</Arg>
</Call>
<Call name="addDeviceTemplate">
<Arg>MicrosoftAuthenticator</Arg>
<Arg>3</Arg>
<Arg>30</Arg>
<Arg>6</Arg>
<Arg>HmacSHA512</Arg>
</Call>
</Call>
 
</Configure>

Parameter

Example value

Allowed values

Notes

Art des Handlers

com.ebd.hub.services.auth.tfa.otpauth.TOTPHandler

com.ebd.hub.services.auth.tfa.otpauth.TOTPHandler

(com.ebd.hub.services.auth.tfa.otpauth.HOTPHandler)

Important note: The time zone on the Integration Server and that of the external application must be identical, otherwise it will not work! So set the time zone on your cell phone, for example, to the time zone of the Integration Server.

Note : It would be possible to use an HOTP handler. Please use the simplified configuration described below in that case. However, only in combination with the Google Authenticator. In addition, the handling in this app is suboptimal. We generally recommend the use of the TOTP handler.

Alias

GoogleAuthenticator

MicrosoftAuthenticator


Any name. It makes sense to use the name of the external application (device) you have chosen, so here, for example, the Google Authenticator, e.g. on your smartphone. Note: The currently allowed apps for the TOTP handler are Google Authenticator, Authy and Microsoft Authenticator.

Allowed login attempts

3


If this number is exceeded, the login for this user is blocked.

Frequency code generation

30


In seconds.

Code length

6



Algorithm

HmacSHA1

HmacSHA1, HmacSHA256, HmacSHA512



The example above shows a configuration with explicit parameters, but you can also use a simplified configuration, then the default values are used as shown in the example above.


<Call name="addTFAHandler">
<Arg>com.ebd.hub.services.auth.tfa.otpauth.TOTPHandler</Arg>
<Call name="addDeviceTemplate">
<Arg>GoogleAuthenticator</Arg>
</Call>
</Call>

Registering and Activating External Application in GUI


images/download/attachments/137300769/1053-version-1-modificationdate-1683619450400-api-v2.png


(1) Use the context menu to select a registered device (external application) (devices come from the handler entries).

(2) You need the master key (if you are not an administrator) to deactivate the 2FA again. Important note: If there are problems with the 2FA login and a user is locked out, please use another user with admin rights to disable 2FA again for the locked out user.

images/download/attachments/137300769/1284-version-1-modificationdate-1683619450378-api-v2.png

(3) Then click here.


images/download/attachments/137300769/1054-version-1-modificationdate-1683619450397-api-v2.png


(4) Either scan this QR code in your external application. Note: So, for example, if you scan this code with the Google Authenticator app on your smartphone, you have established the one-time link between Lobster Integration and your Google Authenticator app (via the shared key).

(5) Alternatively to (4), you can enter these values manually in your application.

(6) Then click here. The device registered in Lobster Integration for this user and the external application now have the same shared key.


images/download/attachments/137300769/1055-version-1-modificationdate-1683619450395-api-v2.png


(7) If all the previous steps have been performed, you can now make a registered device the active device. After you save, two-factor authentication is active for this user. If you now log in to Lobster Integration with this user, first enter your normal credentials. After that you will be asked to enter a code (which is generated with the shared key and the TOTP method) . Then start your Google Authenticator app on your smartphone, for example, read the code and type it in the Lobster Integration login dialogue (where it is verified with the shared key and the TOTP procedure) .