+ Post New Thread
Results 1 to 13 of 13
Home Access Plus+ Thread, HAP+ Dual Factor Auth (Request) in Projects:; Basically an option so staff only have to use dual factor auth, Option to turn on for certain users in ...
  1. #1
    SmithR's Avatar
    Join Date
    Apr 2008
    Location
    Solihull
    Posts
    43
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    15

    HAP+ Dual Factor Auth (Request)

    Basically an option so staff only have to use dual factor auth,
    Option to turn on for certain users in the back end
    they sign in using there AD credentails to login, they get given a QR code to setup TOTP and to scan into various free apps on multiple platform devices i.e. Google Authenticator,
    next time they login they enter the AD credentials, then get asked for a 6 digit pin, which keeps refreshing in the Google Auth, which then gives them access to HAP+ etc.

    Rob

  2. #2
    SmithR's Avatar
    Join Date
    Apr 2008
    Location
    Solihull
    Posts
    43
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    15
    @nickbro

    We are currently trailing some software that will offer two factor authentication and loads of other services the main one we will be using are RDP and Outlook Web access,
    They have an API that you can integrate into other software, is it possible it could be integrated into HAP? this will offer me to manage all two factor authentication from on management interface, give them a variety of options PUSH / Passcode / SMS / Call etc.
    Below is the URL
    https://www.duosecurity.com/docs/aut...om#first-steps
    Could you take a look at this and let me know if it’s possible or not?

  3. #3

    nickbro's Avatar
    Join Date
    Jul 2010
    Location
    Gilwern, Wales
    Posts
    3,691
    Thank Post
    43
    Thanked 560 Times in 468 Posts
    Rep Power
    124
    I have no idea, having a look at their code, it doesn't seem to make sense to me

  4. #4
    SmithR's Avatar
    Join Date
    Apr 2008
    Location
    Solihull
    Posts
    43
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    15
    @nickbro

    Hey to be honest i don't understand it either but have found another page on there website if you get the chance to look,
    does this make more sense https://www.duosecurity.com/docs/duoweb

    this would really help a great deal as this is the last piece of software staff access externally that doesn't have dual factor auth

    many thanks

  5. #5
    mattgrimley's Avatar
    Join Date
    Jun 2011
    Location
    Bedfordshire
    Posts
    321
    Thank Post
    36
    Thanked 22 Times in 20 Posts
    Blog Entries
    1
    Rep Power
    11
    Isn't the google authenticator stuff free? Out of interest, what advantage does the paid duosecurity stuff have?

    I'm really interested in this topic as i think it's something that any security auditor would insist on.. but the cost-free solutions aren't particularly clear. I presume the thing missing from the google authenticator route is SMS for people without smart phones?

    I can see two-factor being the next big reason to hate the IT department, but it's hard to argue against it (certainly for staff accounts).

    I found a few examples on the google authenticator 2-step stuff (though the first is in python)
    Using Google Authenticator For Your Website | brool

    This one has the source available in a tar at the bottom:
    Google Authenticator Demo

    I guess one implementation of two-step is much the same as another.. the principle seems the same, with the initial login redirecting to the "something you have" code entry before authenticating to the system..

    As easy as it appears to be.. i can't find a single example of the code required to mod an Exchange 2010 OWA installation however.. so clearly it ISNT so easy!

  6. #6
    SmithR's Avatar
    Join Date
    Apr 2008
    Location
    Solihull
    Posts
    43
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    15
    the only advantage the paid stuff has over the free stuff, by my trail im having is its pulls users from AD and there mobile numbers if you have that field populated, can be setup for certain ad groups, like staff only and not the students,easy to push activation txts out, they seem to have already done RDP and Outlook web access which took minutes to setup, you can setup hardware tokens in the back end
    and a varitey of auth methods
    PUSH
    TOTP
    SMS
    Phonecall

    by all means i use google auth on my personal stuff but from and IT manager point of view i need easy to manage and control and setup for over 150+ staff
    Last edited by SmithR; 25th April 2014 at 11:18 AM.

  7. #7
    SmithR's Avatar
    Join Date
    Apr 2008
    Location
    Solihull
    Posts
    43
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    15
    Sorry to bump this thread up again,
    @nickbro did you manage to have a look at the Web SDK,
    https://www.duosecurity.com/docs/duoweb

    It seems to make more sense than the Auth API they have

    And this would hugely help as this is the last piece of software staff access externally that doesn't have dual factor auth on,

    many thanks

  8. #8

    Join Date
    Apr 2012
    Posts
    60
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    7
    I'm going to be awkward here

    From a project point of view, given that there's probably N different systems (2 have been mentioned in this thread), there's a possible request of "Can you make it so it's easy to plug-in external/additional validation methods to the logon process" [For example, if you wanted someone to complete a captcha whenver they log in, user google auth, use duo security etc]. Part of my initial thoughts to that would be that the options are so varied of what someone might want to do, it would probably be hard/impossible to add an useful API for people to use that would be less work then just "editing the logon page".

    Equally, unless there's lots of schools making use of system N for dual authentication, it's probably not feasible to implement functionality for the main system(s) in the core product

    Therefore, it would seem the actual requirement is whether someone take the time to write some custom code for HAP that you'd need to apply manually to your own build of HAP. Given there's a free version of the software (for <10 users), someone (maybe even me if i got really bored) could probably work out how to get the API working - my question then would be, whether you have the skills/software to compile a custom version of HAP, and maintain/update the code in the future?

  9. #9
    SmithR's Avatar
    Join Date
    Apr 2008
    Location
    Solihull
    Posts
    43
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    15
    Yes from a project point of view i can see your point, with the many systems that are out there its hard to pick one.

    So ill change my question,
    with HAP being open source, and the source code files are on hap.codeplex.com

    Are there any web developers out there that would be willing to integrate the Duo SDK into a custom version of HAP with documentation on how to add this so when new versions come out i can edit the file myself, or anyone that could point me in the right direction.

    My school would be willing pay for this work to be done, so we could negotiate a price

  10. #10

    Join Date
    Apr 2012
    Posts
    60
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    7
    It actually seems fairly trivial to implement this (my hacky method seems to function for my test user).

    I'm just wondering whether anyone would want to allow people the option of using one use codes from hap within this scenario.

  11. #11
    SmithR's Avatar
    Join Date
    Apr 2008
    Location
    Solihull
    Posts
    43
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    15
    Am i reading this right? have you hacked the code and got Duo working with HAP?
    if you have do you want to point me in the right direction, on how you did this? i could take a go at hacking the code myself i just need to know where to start lol

    Ive also located the Duo github page if that helps anyone https://github.com/duosecurity
    Last edited by SmithR; 16th May 2014 at 09:49 AM.

  12. #12

    Join Date
    Apr 2012
    Posts
    60
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    7
    In short, I think the answer would be a 'yes'.

    I need to look through what I did and make sure it's fairly sensible.

    Equally, I'd like to have a think about whether it's feasible to implement in a better way. However, against my test box, I do seem have it requiring an SMS or equivalent to login. What I need to make sure is that it *requires* it, as opposed to "accepts windows authentication, asks for duo's then lets you in anyway via method X" type of thing - which would defeat the object.

    Paul

  13. #13
    SmithR's Avatar
    Join Date
    Apr 2008
    Location
    Solihull
    Posts
    43
    Thank Post
    0
    Thanked 6 Times in 5 Posts
    Rep Power
    15
    See below

    Hi Robert,

    You should be able to integrate with our Web SDK (specifically with: https://github.com/duosecurity/duo_dotnet) based on my viewing of the code for that particular application.

    Unfortunately, we aren't able to provide implementation on your behalf with this software. Our SDKs are provided with example information as a baseline for developers to integrate Duo into existing applications. Because of the unique nature of each application and the nuances of how it will be used with Duo, we aren't able to provide dedicated resources for each applications development. That said, we're more than happy to field any questions you or your developers may have if they are experiencing difficulties integrating the product with Duo's Web SDK.

    Here is more information on the Web SDK as well: https://www.duosecurity.com/docs/duoweb

    Please let me know if that answers your questions and if you have any additional questions I can assist with!

    Thanks!
    Trevor



SHARE:
+ Post New Thread

Similar Threads

  1. Dual Factor Authentication???
    By Gibson335 in forum MIS Systems
    Replies: 12
    Last Post: 17th August 2013, 04:39 PM
  2. [HAP+][v8.1] - Feature Requests
    By nickbro in forum Home Access Plus+
    Replies: 43
    Last Post: 19th November 2012, 06:37 PM
  3. Dual Factor Authetication for Remote Apps
    By mattianuk in forum Windows Server 2008 R2
    Replies: 5
    Last Post: 24th October 2012, 12:03 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •