HOW TO: Configure Multi-Factor Authentication(MFA)

Summary

This document describes the steps to be taken following the installation of UniTrac where Multifactor Authentication is expected to be used.

Overview

The implementation of Multifactor Authentication (MFA) allows for an additional validation check when a user accesses a compliant application. Products that are compliant with the new MFA capability include:

• Evolution
• AutoFind Web (must be configured for UtAuth Only in order to enable MFA)
• AFM2
• UniTrac Administration

In each case, when MFA is required, the user is prompted to enter a numeric Token within a specific time window in addition to their User ID and Password. This Token is then compared to one generated by the system and the user is allowed access only if the Tokens match.

More Information

The numeric Token that must be entered by the user is compliant with the algorithm used by Google Authenticator (GA). As such, GA must be downloaded and installed to a personal device (Android, iPhone, etc.) to which the user has access.

The system supports the concept of trust for a user authenticating from a workstation from which the user previously authenticated. Depending on configuration, a user may be able to indicate to the system that the current workstation is to be trusted for future authentication for that user. If the user does this while supplying a valid authentication Token, that user will not need to supply a Token in the future for a system-configured period of time when at that workstation.

The following steps are necessary to configure MFA in UniTrac:

1. Set the following values in the UNI_Config table:
   1. MultifactorAuth\DeviceTrustExpiration (default 30) – Number of days that a trusted user/workstation will remain trusted. After this period of time, the user will need to enter an authentication Token to renew trust
   2. MultifactorAuth\TotpTimestepBrackets (default 1) – Number of timestep brackets before and after the time period within which an authentication Token is validated that will also be checked. For example, GA uses a 30 second period during which a given Token is valid. When this parameter value is set to 1, the system will validate the entered Token against the current 30 second period as well as one 30 second period before and after. A value of 2 will check the current 30 second period as well as 60 seconds before and after
   3. MultifactorAuth\UserCanTrust (default 1) – Set to 1 if a user with the UniTrac User role can specify that their workstation should be trusted, or set to 0 if not
   4. MultifactorAuth\AdminCanTrust (default 0) – Set to 1 if a user with the UniTrac Admin role can specify that their workstation should be trusted, or set to 0 if not
   5. MultifactorAuth\SuperAdminCanTrust (default 0) – Set to 1 if a user with the UniTrac Super Admin role can specify that their workstation should be trusted, or set to 0 if not
   6. MultifactorAuth\UserMFARequired (default 0) – Set to 1 if the UniTrac User role must use MFA (setting enforced during addition or update)
   7. MultifactorAuth\AdminMFARequired (default 0) – Set to 1 if the UniTrac Admin role must use MFA (setting enforced during addition or update)
   8. MultifactorAuth\SuperAdminMFARequired (default 0) – Set to 1 if the UniTrac Super Admin role must use MFA (setting enforced during addition or update)
2. Set the following values in the /configuration/UtAdminUI.Utils.Configuration/Parameters section of the web.config file for UniTrac Administration. These are only used to populate the new checkbox in the Users page:
   1. DefaultMultifactorAuthRequiredSuperAdmin (default true) – Set to true if the default value for “Multifactor Authentication Required” for a new user with the UniTrac Super Admin role should default to “checked” in the Users page, or false if it should be “un-checked”
   2. DefaultMultifactorAuthRequiredAdmin (default true) – Set to true if the default value for “Multifactor Authentication Required” for a new user with the UniTrac Admin role should default to “checked” in the Users page, or false if it should be “un-checked”
   3. DefaultMultifactorAuthRequiredUser (default false) – Set to true if the default value for “Multifactor Authentication Required” for a new user with the UniTrac User role should default to “checked” in the Users page, or false if it should be “un-checked”
3. For each user that is to be required to use MFA, their User information needs to be modified using the Multifactor Authentication section of the Users page in UniTrac Administration:   
   1. Check “Multifactor Authentication Required” if this user needs to use MFA. Note that this does not force the page to require entry of a “Validation Key”
   2. Click the “Generate Key” button to create and populate “Validation Key” with a random valid key
   3. Provide the “Validation Key” value to the user, as this needs to be entered in GA
   4. Specify if the user Can Trust the devices used to access the web UI (when trusted, no token is required at login)

Once UniTrac is configured, GA must be set up for each user:

1. Download and install GA as appropriate to your user’s device (Android, iPhone, etc.)
2. Start GA and create an account via manual entry
3. Enter the 16 character key that was received from the UniTrac Administrator who set up MFA
4. Set Time Based authentication on
5. Save the new account

The process of authenticating to UniTrac Administration:

1. Using credentials for a user that has been set to require MFA, attempt to log in to UniTrac Administration. The following “error” should be received:    
2. Start GA (should take you directly to the previously set up account)
3. Take the 6 digit number being displayed in GA and enter it into the “Token” field. This value changes every 30 seconds, and must be entered during that time or within the configured time brackets before or after the current time period
4. Re-enter your password and click “Login” to authenticate
5. The “Trust This Device” checkbox is optional:
   1. The checkbox may or may not be displayed, depending on the user’s role and the UniTrac configuration parameters mentioned earlier
   2. If it is displayed, checking the box will place a cookie in the user’s browser that will bypass MFA for this user/browser combination for a period of time. That time is specified in a UniTrac configuration parameter mentioned earlier

Additional notes:

1. Timestep bracket values provide flexibility when differences between system times are expected, but care should be taken when considering increasing the number of brackets. Larger timestep bracket values also increase the time window through which attacks could be made for a given token
2. An authentication Token can only be used 1 time to gain access to the system during a given time period window. Once a Token is used, any further attempted use of the same token in that time window will be denied
3. Device “Trust” has the following aspects:
   1. Persistent cookies need to be enabled on the browser being used in order for trust to operate
   2. Trust is based on the browser being used, so a user establishing trust on a given browser on a workstation will remove any previous trust for other users of that browser on that workstation
   3. Users using different browsers (e.g. IE and Chrome) on the same machine will not interfere with each other’s trust settings
   4. A user that doesn’t require MFA will not affect the trust settings for users of the same browser that do require MFA
4. Backward compatibility exists across products so, for example, an Evolution installation that does not support MFA can operate with a UniTrac installation that supports MFA
5. Installing this update does not affect any existing UniTrac user’s authentication process by default, so no users will suddenly be required to enter a Token without a Validation Key having been provided to them. Each user’s MFA information must be set individually in the Admin UI Users page, so as to prevent unwanted access denial
6. Super Admins can change any MFA setting for any user at any time including overriding system-wide configuration settings. Admins can set MFA settings for only Users and only as determined by system-wide configuration.
7. To support roll-out to existing UniTrac installations, if a user is marked as requiring MFA but no validation key exists for the user, a key is generated and presented during login. Enter that key into GA. An example follows: