How-to - Two-Factor Authentication (2FA) in myDatanet

Owned by Franz Lechner
Last updated: Oct 16, 2024
4 min read

Purpose

Considering ever growing requirements regarding security, the possibility to use Two-Factor-Authentication (2FA) was added to myDatanet. The feature set is available as of the software version 52v014. This document describes the details of this feature, explaining how to set-up, activate and deactivate 2FA.

In myDatanet, TOTP is used for this second factor. TOTP (Time-based one-time password) is an open standard that is widely used. Users need an authenticator app (e.g. “Google Authenticator” or “Ente auth”) to obtain TOTPs.

Limitations

The app “Microsoft Authenticator” is NOT supported, because of a technical limitation as it is not able to operate with the used hash algorithm (SHA256).

Server Organization

Customer data in myDatanet is organized into compartments so that users only have access to site and device data where they are allowed to. There are essentially three levels, addressed with different user levels.

  • Server wide

  • Provider level

  • Single user

Tenancies are organized into subgroups, which are called areas to outline the concept.

image-20240917-113255.png

Protecting areas with 2FA

  • Every area can individually be set as protected, so that users are forced to setup and use 2FA to access their data

  • Every user wanting to access data from within a protected area must have 2FA activated

    • This includes administrators from higher tenancies, as 2FA could otherwise be bypassed

  • Users who can legitimately access an area, but don’t have 2FA enabled yet, will be redirected to register 2FA and will have access again once this registration is completed

  • Administrators and Provider Administrators can protect an area, once they have enabled 2FA for themselves

  • Regardless of any protected areas, individual users can opt in to enable 2FA for their account

  • Areas that remain without protection will be accessible by users that do not have 2FA enabled

image-20240917-113405.png

Recovery

Users can reset their 2FA by using the “forgotten password“ procedure. Provided the stored e-mail address is still valid and accessible.

There is no way of only resetting the TOTP app registration without resetting the password.

New users

New users that try to access a protected are will be redirected to register 2FA.

 

Configuration

Enable 2FA for the logged in user

  1. Open the user profile

 

  1. Look for Two-Factor Authentication and click “Activate”

  1. Open your authenticator app and scan the QR code. Use the security code that your Authenticator app provides.
    If you are not able to scan the QR code, click “Unable to Scan?” and use the secret key in the dialog to setup your 2FA Authentication.

  1. 2FA is now enabled

Enable 2FA for all users

  1. Login with an administrative user (User Level 7) who has 2FA enabled

  2. Go to the server’s configuration

  1. In the section “Basic Settings” change “Two-Factor Authentication” from “Optional“ to “Required”

  1. Save

  1. Every user who has not enabled 2FA will be forced to set it up on the next login attempt.

Enable 2FA on provider level

  1. Login with a user who has 2FA enabled

  2. Open the tab “customers“

  1. Edit the customer that should be protected

  1. In “Basic settings” change “Two-Factor Authentication” from “Optional“ to “Required”

  1. Save

  1. Now every user who has not enabled 2FA will be prompted to set it up when trying to access this customer.

Additional Information

Microtronics ID

If Microtronics ID is used to log in, the 2FA from Microtronics ID will be ignored and the user has to use the 2FA of myDatanet in order to login.

API

When 2FA is activated for a user, the Basic authentication on the API will not work anymore. The user must create an API token in order to use the API.

One exception is the call to POST /api/1/me/backend-session, which can be used to create a backend session. This route can still be used with the Basic authentication, but the TOTP of the 2FA must be added as the third part of the authorization value, just like this: "Basic " + base64_encode(username:password:TOTP)

Public Reports

No changes for Public reports.

UI

On logging in, just after you entered your username and password, you will be asked to use the security code from your Authenticator app:

 

This is the screen for the initial setup of 2FA: