Introduction
We're pleased to announce some new changes coming up in our Sippy 2020 Version. We will be introducing Multi Factored Authentication methods for our soft switch. This feature will help switch operators to ensure those who have web access are verified before accessing the web interface of your switch. We have added two new methods to ensure your switch is protected - a simple Email based Authentication method and Google Authenticator.
What is 2 Factor Authentication (2FA) and Multi-factor Authentication?
2 Factor Authentication is a way to enhance security of your system. In versions of our software from 5.2 and earlier we require simply a user name and password. In practical terms access to the web interface relies just on something a user knows (user name and password). A malicious user might try to brute force or guess the credentials to gain access to the system with some time and effort - thereby gaining access to something only the web user should know. 2 Factor authentication extends this concept by adding another factor that the malicious user must try to obtain - making it much harder to gain access to the closed system. In 2 factor authentication we still ask for something a user knows but we will now also ask for something the User has.
Multi factor authentication relies on two or more of these methods to prove your identity to the switch. New to our Sippy 2020 version will be two methods to ensure users have the right credentials to enter the site.
Method 1: Email Based 2 Factor Authentication.
We will start with the most basic form of 2 factor authentication with an email based system. All Web users (excluding accounts for the time being) will need to have an email address tied to their user profile. Once an email address is attached then email verification can take place. After successful Authentication using login&password, users will receive an email from the softswitch with a URL they will need to click on to continue on with their typical workflow or alternatively copy the security token into the web page presented on the web interface. This security token represents something the user has and can verify their login access accordingly.
Switch operators will be able to define the Token Expiration and Token Validation period. The tokens by default will expire within 5 minutes from being generated but this is configurable up to 1 hour. A new token can always be created if you are unable to login within this time period but it will invalidate older tokens. The validation period reflects how long a user can go for without verifying their user profile. The validation period is set to 90 days by default and needs to be within 1 day to one year. Both of these parameters can be set in the System Configuration table.
These emails can be localized on the users specific language and are saved in ./templates/{language_code}/mfa_verification_token.txt.
Method 2: Google Authenticator
Google offers a good 2 factor authentication model that we particularly like. Users will have to download the Google Authenticator app from the App Store or Google Play store. Its a common app and you should find it with relative ease. When a Web user tries to login for the first time they will be asked to scan a QR code in the Google Authenticator app. From there the user will need to enter in a code presented in the app for the Softswitch. This code is regularly changed according to the current time. The code (a 6 digit number) is valid within less then a minute, this users will have to enter it in time to prove they have the necessary credentials to enter into the site. This check is done every time user performs login going forward and we strongly suggest this feature be enabled for all regular web users.
Sippy Software Inc. does recommend using Google Authenticator but we should point out one important thing about using Google Authenticator. This service relies on the fact that user will always have access to the device with installed Google Authenticator app that was used to setup the MFA. If for some (unfortunate) reason you lose or damage your device you will need to start working on some recovery methods to try and regain access to the application. Our Support team will only be able to assist those who have active support agreements and not the individual web user accounts created at this time. Please refer to the following link to troubleshoot your scenario further: https://support.google.com/accounts/answer/185834?hl=en
How to enable MFA, Email Verification and Google Authenticator
MFA is enabled through the System Parameters or new menu called Security Settings that could be accessed in Environment's advanced parameters. There is a dropdown list with E-Mail Token, and Google Authenticator:
Once MFA is configured, system would display the warning about enabling MFA, though changes would be applied only after press of Save button.
The E-Mail Token MFA system stores IP address and User Agent information as well. The Softswitch will be able to identify cases where login may happen with an unfamiliar IP address and User agents though when using google authenticator this data is not needed as MFA check is triggered at every login (another reason why it's a better security tool).