Purpose
Considering ever growing requirements regarding security, the possibility to use Two-Factor-Authentication (2FA) was added to myDatanet. The feature set is available as of the software version 52v014. This document describes the details of this feature, explaining how to set-up, activate and deactivate 2FA.
In myDatanet, TOTP is used for this second factor. TOTP (Time-based one-time password) is an open standard that is widely used. Users need an authenticator app (e.g. “Google Authenticator” or “Ente auth”) to obtain TOTPs.
Limitations
The app “Microsoft Authenticator” is NOT supported, because of a technical limitation as it is not able to operate with the used hash algorithm (SHA256).
Server Organization
Customer data in myDatanet is organized into compartments so that users only have access to site and device data where they are allowed to. There are essentially three levels, addressed with different user levels.
Server wide
Provider level
Single user
Tenancies are organized into subgroups, which are called areas to outline the concept.
Protecting areas with 2FA
Every area can individually be set as protected, so that users are forced to setup and use 2FA to access their data
Every user wanting to access data from within a protected area must have 2FA activated
This includes administrators from higher tenancies, as 2FA could otherwise be bypassed
Users who can legitimately access an area, but don’t have 2FA enabled yet, will be redirected to register 2FA and will have access again once this registration is completed
Administrators and Provider Administrators can protect an area, once they have enabled 2FA for themselves
Regardless of any protected areas, individual users can opt in to enable 2FA for their account
Areas that remain without protection will be accessible by users that do not have 2FA enabled
Recovery
Users can reset their 2FA by using the “forgotten password“ procedure. Provided the stored e-mail address is still valid and accessible.
There is no way of only resetting the TOTP app registration without resetting the password.
New users
New users that try to access a protected are will be redirected to register 2FA.
Configuration
Enable 2FA for the logged in user
Open the user profile
Look for Two-Factor Authentication and click “Activate”
Open your authenticator app and scan the QR code. Use the security code that your Authenticator app provides.
If you are not able to scan the QR code, click “Unable to Scan?” and use the secret key in the dialog to setup your 2FA Authentication.
2FA is now enabled
Enable 2FA for all users
Login with an administrative user (User Level 7) who has 2FA enabled
Go to the server’s configuration
In the section “Basic Settings” change “Two-Factor Authentication” from “Optional“ to “Required”
Save
Every user who has not enabled 2FA will be forced to set it up on the next login attempt.
Enable 2FA on provider level
Login with a user who has 2FA enabled
Open the tab “customers“
Edit the customer that should be protected
In “Basic settings” change “Two-Factor Authentication” from “Optional“ to “Required”
Save
Now every user who has not enabled 2FA will be prompted to set it up when trying to access this customer.
Additional Information
Microtronics ID
If Microtronics ID is used to log in, the 2FA from Microtronics ID will be ignored and the user has to use the 2FA of myDatanet in order to login.
API
When 2FA is activated for a user, the Basic authentication on the API will not work anymore. The user must create an API token in order to use the API.
One exception is the call to POST /api/1/me/backend-session
, which can be used to create a backend session. This route can still be used with the Basic authentication, but the TOTP of the 2FA must be added as the third part of the authorization value, just like this: "Basic " + base64_encode(username:password:TOTP)
Public Reports
No changes for Public reports.
UI
On logging in, just after you entered your username and password, you will be asked to use the security code from your Authenticator app:
This is the screen for the initial setup of 2FA: