Recently 2FA was added to Green Screens Web terminal to increase security level in cloud environment. Our 2FA implementation is based on RFC 6238 - TOTP: Time-based One-time Password Algorithm and it is fully compatible with mobile OTP token applications like Google Authenticator.
More about OTP mechanism can be found on Wikipedia TOTP itself is not ultimate security solution but combined with other implemented security features as browser fingerprinting, IP address session validation, one-time-bypass-sign-on, custom request encryption, SSL and many more to prevent unauthorized use through web browser we made Green Screens Web Terminal environment as secure as possible.
NOTE: For additional security it is advisable to set limited number of invalid OTP attempts before OTP token becomes disabled for further use. In such case, administrator will have to reactivate disabled user OTP token.
Configuration alone and usage in Green Screens products are simple. 2FA security is just a few mouse clicks away.
Before using OTP protected server access, administrator must enable OTP for each server configuration (under security tab). When accessing to OTP protected host every workstation operator will be required to enter OTP token generated by mobile app.
Registering OTP token
Registering OTP token is simple, virtual host (uuid / host name) and user credentials to IBM I is required to validate user and to generate OTP token in form of QR-Code that can be scanned by mobile application.
Following video shows OTP token registration. Upon successful registration OTP QR-CODE will be generated for transfer to mobile device.
After OTP token is generated, workstation operator must transfer token to mobile device. Following video shows registration through Google Authenticator application.
NOTE: Last Green Screens Mobile App update also contains OTP support.
That's all what is required to register and activate token.
Using OTP token
Every time workstation operator tries to access IBM I protected with OTP access, new prompt will pop-up asking for verification code. Open your mobile OTP app and retype numeric code shown on the screen.
OTP itself is not only used as a mechanism to validate user access with unique token stored on user smartphone. It is also used to prevent URL reuse from other workstations.
As our terminal is web based and someone hijack your URL, OTP brings additional security level along URL protection mechanism to prevent unauthorized use of server resources.
For the end, let's see short video demonstrating use of invalid TOTP token. The same message will popup if someone tries to reuse expired token.
NOTE: OTP token have 30sec. regeneration time by default. That means, each 30 sec. new OTP will be generated inside mobile app. Still, server validation is usually as twice as long so that user have enough time to enter token that is about to expire and pass into terminal session.