Skip to main content

More on user validation for two-factor authentication via our API

In the previous post in this series on using the wAuth API, we discussed how you can create a simple application that allows customer service reps or even 3rd parties in a multi-tenant environment validate users for two-factor authentication. As with all things tech, there is more than one way to skin that cat. The PC tokens support pre-registration. With pre-registration, a list of usernames and pre-registration codes is uploaded to the server. The pre-registration codes are then delivered to the users in some secure manner. The users enter the WiKID Domain identifier, their PIN and the pre-registration code into the software token and they are automatically registered. You generate this list of pre-registration codes - we do not have a copy of them at all. Under the Users tab of the WiKIDAdmin webui there is an option to import a text file of users.

Today it is important to be able to automate all the things, so you can also automate this process via our API. There are three functions related to pre-registration, the first allows you to combine our typical registration process with a pre-registration code. Here it is, once again taken from our API demonstration page /opt/WiKID/tomcat/WiKIDAdmin/example.jsp:

<%

    if (request.getParameter("action") != null && request.getParameter("action").equalsIgnoreCase("Pre-register")) {
        res = wc.preRegister(request.getParameter("preregcode"), request.getParameter("tokenregcode"), request.getParameter("servercode"));
        if (res == 0) {
            status = "Success";
        } else {
            status = "Failed (" + res + ")";
        }
    }
%>

The XML looks like:

<transaction>
<type>10</type>
<data>
<token-registration-code>5D4p9Xy3</token-registration-code>
<pre-registration-code>1234567890123456789012345</pre-registration-code>
<domaincode>127000000001</domaincode>
<error-code>null</error-code>
<result>null</result>
</data>
</transaction>

Even after you securely deliver your pre-registration codes to your users, some might have lost theirs. They might need to call the help desk to get a new one. This function will add a new pre-registration code to your WiKID Strong Authentication server, optionally over-writing an existing code:

<%

    if (request.getParameter("action") != null && request.getParameter("action").equalsIgnoreCase("Add Pre-Registration Code")) {
        PreRegistration preRegistration = new PreRegistration(request.getParameter("user"), request.getParameter("preregcode"), request.getParameter("servercode"));
        boolean override = request.getParameter("override")!=null;
        PreRegistration pr = wc.addPreRegistration(preRegistration, override);
        if (pr.isSuccessful()) {
            status = "Success";
        } else {
            status = "Failed (" + pr.getMessage() + ")";
        }
    }
%>

You might want to create a number of new pre-registration codes when rolling out two-factor authentication:

<%

    if (request.getParameter("action") != null && request.getParameter("action").equalsIgnoreCase("Add All Pre-Registration Codes")) {
        List preRegistrationList = new ArrayList();
        for(int i = 0; i<3; i++){
            if(request.getParameter("user"+i).trim().length()>0 &&  request.getParameter("preregcode"+i).trim().length()>0 && request.getParameter("servercode"+i).trim().length()>0){
                PreRegistration preRegistration = new PreRegistration(request.getParameter("user"+i), request.getParameter("preregcode"+i), request.getParameter("servercode"+i));
                preRegistrationList.add(preRegistration);
            }
        }
        boolean override = request.getParameter("override")!=null;
        List prs = wc.addPreRegistrations(preRegistrationList,override);
        StringBuffer sb = new StringBuffer();
        for(PreRegistration pr : prs){
            if (pr.isSuccessful()) {
                sb.append(pr.getUserID()+":Success, ");
            } else {
                sb.append(pr.getUserID()+":Failed (" + pr.getMessage() + "), ");
            }
        }
        status = sb.toString();
    }
%>

One of the key expenses and logistical hassles we attacked with WiKID. Allowing users to self-register their tokens based on existing trusted credentials greatly reduces the cost of two-factor authentication. Just as importantly, it allows the security administrators to manage the process rather than mail out hardware tokens and perform other logistics. As with much of our API, we added the ability to pre-register users based on customer requests. We greatly appreciate any feedback that we can incorporate to improve the WiKID Strong Authenitcation System.

Up next in this series of posts is user management and reporting.

Current rating: 1

Recent Posts

Archive

2024
2022
2021
2019
2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom