Secure remote access and web applications with two-factor authentication
Ticket Control
Mydigipass.com – The Cloud Factor
Administrators always appreciate the ability to harden, for example, administrator login to web applications, blogs, or content management systems by means of a two-factor authentication solution. Mydigipass.com cloud authentication by Vasco is ideal for this (Figure 5). One advantage of this solution is that the administrator does not need to install and operate any back-end software because it is provided by Vasco in the cloud (see also the "OAuth API" box).
OAuth API
Mydigipass.com provides a standardized interface in the form of the OAuth 2.0 API [20] that supports authenticated access to web applications. OAuth protocol is commonly used in applications where you can log in to a service with the login credentials of another service (e.g., with a Windows LiveID or a Google or Facebook account).
For the implementation of OAuth in your own web applications, Vasco provides extensive online documentation, a "sandbox," and an online demo token [21] on its Developer Portal [22] (Figure 6). To access the Developer Portal, you first need to register with Mydigipass.com. With the access credentials you are given, you can log in to the developer portal. Besides detailed price information and the documentation, the developer portal also contains images, videos, and data sheets for user information that you can download as zipped User Activation Kits.
The front end is a software OTP token for iOS, Android, or BlackBerry smartphones; alternatively, client software with Java support is available for mobile phones. Furthermore, you can integrate hardware tokens, which Vasco distributes to people at IT fairs.
As the first step, users must register [23] and install the free software token via the respective app stores. The Java client software is transferred to your mobile via a URL download link. For smaller community sites with one URL, up to 100 users, and 1,000 authentication transactions per year, Mydigipass.com's "Starter Edition" is completely free of charge. Larger packages start from US$ 3,000 (EUR 2,000) per year, but include 500 users and 10,000 authentication operations (Premium), or 10,000 users and 250,000 authentication operations (Executive) per year.
Hardening Drupal with Mydigipass
The Mydigipass module can also be used to harden the popular Drupal CMS by adding the Mydigipass login API (Figure 7). The following guide explains the installation and configuration based on Drupal 6.27. The main requirement is that the web server can reach the Mydigipass.com web service with an outbound HTTPS connection. If the web server resides behind a firewall, you need to open port 443/TCP on the web server for the mydigipass.com domain.
In our lab, the plugin only worked correctly with "Clean URLs" enabled in Drupal. Clean URLs creates legible URLs without special characters. The Drupal admin can enable them by clicking Administer | Clean URLs | Enabled . Because the web server must also support this feature, the administrator must enable the rewrite module on the Apache web server.
To begin, download the tarball with the plugin [24] and unpack it in the sites/all/modules/mydigipass
directory of your Drupal installation (e.g., /var/www/drupal/sites/all/modules/mydigipass
). Next, register for a developer account below https://developer.mydigipass.com, then log in and go to the Sandbox
section. From there, click Connect a test site
and type an identifier and a display name for your site; they can be identical.
As the Redirect uri
, enter http://<Your-Domain>/mydigipass/callback
. After creating your site, your client_id
and client_secret
are displayed on the portal site. Enter these values in the appropriate fields of the Mydigipass module in Drupal (Administer | MYDIGIPASS.COM
). Press the radio button for Sandbox | developer
in Environment
and enable Mydigipass.com integration.
Mixed-Mode Testing
For your first tests, you will want to enable Mixed mode to be on the safe side. Then, you can continue to log in to your Drupal installation with your username and password if something goes awry with your Mydigipass.com integration attempt. In the course of the module configuration, you can customize the various button styles for the login button and create data fields for your user accounts, if desired.
Finally, you must connect your Drupal user account with the user registered at Mydigipass. To do so, select My Account | Edit in Drupal and press the Connect with MYDIGIPASS.COM button. If everything works out, Drupal reports The user has been successfully linked to MYDIGIPASS.COM , and you can log in to Drupal via Mydigipass. Before you can log in to Drupal via Mydigipass for the first time, however, you must first log out of the developer portal and Drupal and close the browser to clear the session cookies. See also the "Mydigipass Reservations" box.
Mydigipass Reservations
On GitHub [25], Vasco provides some plugins for popular blog and content management systems, including WordPress, Drupal, and Magento, as free downloads. Unfortunately, none of the plugins are up to date with the respective web applications. For example, the WordPress plugin is only compatible up to version 3.3.2 – although the current WordPress version is 3.5.1. Seeing that WordPress admins are always forced to update their applications because of a continued spate of new vulnerabilities, the use of the WordPress plugin is not currently recommended. Vasco needs to take action here urgently and ensure that the plugins match the latest versions. More plugins for other popular systems like Joomla and Typo3 would be desirable as well.