Introduction

We're pleased to announce some new changes coming up in our Sippy 2020 Version.  We will be introducing Multi Factored Authentication methods for our soft switch.  This feature will help switch operators to ensure those who have web access are verified before accessing the web interface of your switch.  We have added two new methods to ensure your switch is protected - a simple Email based Authentication method and Google Authenticator.


What is 2 Factor Authentication (2FA) and Multi-factor Authentication?

2 Factor Authentication is a way to enhance security of your system.  In versions of our software from 5.2 and earlier we require simply a user name and password.  In practical terms access to the web interface relies just on something a user knows (user name and password).  A malicious user might try to brute force or guess the credentials to gain access to the system with some time and effort - thereby gaining access to something only the web user should know.  2 Factor authentication extends this concept by adding another factor that the malicious user must try to obtain - making it much harder to gain access to the closed system.  In 2 factor authentication we still ask for something a user knows but we will now also ask for something the User has.


Multi factor authentication relies on two or more of these methods to prove your identity to the switch.  New to our Sippy 2020 version will be two methods to ensure users have the right credentials to enter the site.   


Method 1: Email Based 2 Factor Authentication.

We will start with the most basic form of 2 factor authentication with an email based system.  All Web users (excluding accounts for the time being) will need to have an email addressed tied to their user profile.  Once an email address is attached then email verification can take place.  Users will receive an email from the soft switch with a URL they will need to click on to continue on with their typical workflow or alternatively copy the security token into the web page presented on the web interface.  This security token represents something the user has and can verify their login access accordingly.


Switch operators will be able to define the Token Expiration and Token Validation period.  The tokens by default will expire within 1 hour from being generated but this is configurable up to 2 days.  A new token can always be created if you are unable to login within this time period but it will invalidate older tokens.  The validation period reflects how long a user can go for without verifying their user profile.  The validation period is set to 90 days by default and needs to be within 1 day to one year.  Both of these parameters can be set in the System Configuration table.


Method 2: Google Authenticator

Google offers a good 2 factor authentication model that we particularly like.  Users will have to download the Google Authenticator app from the App Store or Google Play store.  Its a common app and you should find it with relative ease.  When a Web user tries to login for the first time they will be asked to scan a QR code in the Google Authenticator app.  From there the user will need to enter in a code presented in the app for the Softswitch.  This code is regularly changed according to the current time.  Users will have a few minutes to enter in the verification code (a 6 digit number) to prove they have the necessary credentials to enter into the site.  This check is done every time you enter in the softswitch going forward and we strongly suggest this feature be enabled for all regular web users.


Sippy Software does recommend using google authenticator but we should point out one important limitation to using Google Authenticator.  This service relies on the fact that you will always have access to your google authenticator.  If for some (unfortunate) reason you lose or damage your phone you will need to start working on some recovery methods to try and regain access to the application.  Our Support team will only be able to assist those who have active support agreements and not the individual web user accounts created.  Please refer to the following link to troubleshoot your scenario further: https://support.google.com/accounts/answer/185834?hl=en