2FA - 2-Factor Authentication
Recently, 2FA was added to Green Screens Web terminal to increase security level in cloud environment. Our 2FA implementation is based on RFC 6238 - TOTP: Time-based One-time Password Algorithm and it is fully compatible with mobile OTP token applications like Google Authenticator.
More about OTP mechanism can be found on Wikipedia TOTP itself is not ultimate security solution but combined with other implemented security features as browser fingerprinting, IP address session validation, one-time-bypass-sign-on, custom request encryption, SSL and many more to prevent unauthorized use through web browser we made Green Screens Web Terminal environment as secure as possible.
NOTE: For additional security, it is advisable to set a limited number of invalid OTP attempts before OTP token becomes disabled for further use. In such case, the administrator will have to reactivate the disabled user OTP token.
Configuration alone and usage in Green Screens products are simple. 2FA security is just a few mouse clicks away.
Before using OTP protected server access, administrator must enable OTP for each server configuration (under security tab). When accessing to OTP protected host, every workstation operator will be required to enter OTP token generated by the mobile app.
Registering OTP token
Registering OTP token is simple, virtual host (uuid / host name) and user credentials to IBM I is required to validate user and to generate OTP token in form of QR-Code that can be scanned by mobile application.
The following video shows OTP token registration. Upon successful registration, OTP QR-CODE will be generated for transfer to the mobile device.
Video is not visible, most likely your browser does not support HTML5 video
After OTP token is generated, the workstation operator must transfer the token to the mobile device. The following video shows registration through Google Authenticator application.
NOTE: Last Green Screens Mobile App update also contains OTP support.
Video is not visible, most likely your browser does not support HTML5 video
That's all what is required to register and activate token.
Using OTP token
Every time the workstation operator tries to access IBM I protected with OTP access, a new prompt will pop up asking for verification code. Open your mobile OTP app and retype the numeric code shown on the screen.
Video is not visible, most likely your browser does not support HTML5 video
OTP itself is not only used as a mechanism to validate user access with unique token stored on user smartphone. It is also used to prevent URL reuse from other workstations.
As our terminal is web based and someone hijacks your URL, OTP brings an additional security level along URL protection mechanism to prevent unauthorized use of server resources.
For the end, let's see a short video demonstrating use of invalid TOTP token. The same message will pop up if someone tries to reuse an expired token.
NOTE: OTP token have 30sec. regeneration time by default. That means, each 30 sec. new OTP will be generated inside the mobile app. Still, server validation is usually as twice as long, so that the user have enough time to enter the token that is about to expire and pass into terminal session.
Video is not visible, most likely your browser does not support HTML5 video