Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of "how to enable two-step verification for WEB applications in Java". The editor shows you the operation process through an actual case. The method of operation is simple, fast and practical. I hope that this article "how to enable two-step verification for WEB applications in Java" can help you solve the problem.

Supporting two-factor authentication (2FA) is almost always a good idea, especially for background systems. 2FA comes in many different forms, some of which include SMS, TOTP, and even hardware tokens.

Enabling them requires a similar process:

Users go to their profile page (skip this page if you want to force the use of 2fa when registering)

Click enable two-factor authentication

Enter some data to enable a specific 2FA method (phone number, TOTP CAPTCHA, etc.)

The next time you log in, in addition to the user name and password, the login form requests the second factor (CAPTCHA) and sends it with the credentials

I'll focus on Google Authenticator, which uses TOTP (time-based one-time passwords) to generate a series of CAPTCHAs. The idea is that the server and the client application share a key. Based on the key and the current time, both get the same code. Of course, the clock is not fully synchronized, so some code windows are accepted as valid by the server. Note that if you don't trust Google's application, you can use the same library below to implement your own client application.

How do I implement it using Java (on the server)? Use the GoogleAuth library. The process is as follows:

Users go to their profile page

Click enable two-factor authentication

The server generates a key, stores it as part of the user profile, and returns the URL to the QR code. Please note that it is best to encrypt secrets to make them more difficult to break by data leaks.

Users use their Google Authenticator application to scan the QR code to create a new profile in the application

The user enters the verification code displayed by the application in the field that appears with the QR code, and then clicks OK

The server marks 2FA as enabled in the user profile

Alternatively, you can give users some "temporary code" that they can write down in case they lose their application or secrets.

If the user does not scan the code or authenticate the process, the user profile will contain only an orphaned key but will not be marked as enabled

There should be an option to disable 2FA later from their user profile page

From a theoretical point of view, the most important point here is the sharing of keys. Encryption is symmetrical, so both parties (the authenticator application and the server) have the same key. It is shared by the QR code scanned by the user. If the attacker takes control of the user's machine at that time, the secret may be disclosed, so 2FA can also be abused by the attacker. But this is not in the threat model-in other words, if the attacker can access the user's machine, then the damage has been done.

Note: you may see that this process is called 2-step authentication or 2 factors. "factors" are: "what you know", "what you have" and "what you are". You can think of TOTP as another thing you know, but you can also think of a phone with a securely stored key as something you own. I don't insist on using any of the terms in this special case.

After logging in, the process is as follows:

The user enters the user name and password and clicks "Log in"

The page uses an AJAX request to ask the server if 2FA is enabled for this email

If 2FA is not enabled, just submit the user name and password form

If 2FA is enabled, the login form is not submitted, but an additional field is displayed for the user to enter the verification code from the authenticator application

After the user enters the code and presses to log in, the form can be submitted. Using the same login button, or the new validate button, or the validate input + button can be a completely new screen (hide username / password entry).

The server then checks again to see if the user has 2FA enabled, and if so, verifies the CAPTCHA. If there is a match, the login is successful. If not, the login fails and allows the user to re-enter the credentials and CAPTCHA. Note that you can respond differently depending on whether the user name / password is wrong or the code is wrong. You can also try to log in before displaying CAPTCHA input. This approach can be said to be better because you don't disclose users' use of 2FA to potential attackers.

Although I'm talking about a user name and password, it can be applied to any other authentication method. After obtaining a successful confirmation from the OAuth/OpenID Connect/SAML provider, or after obtaining a token from SecureLogin, you can request a second factor (code).

In the code, the above process is as follows (using Spring MVC;, I merged the controller and service layers for brevity. You can replace the @ AuthenticatedPrincipal bit with how you provide the details of the currently logged-in user to the controller. Suppose the method is in a controller that maps to "/ user/":

@ RequestMapping (value = "/ init2fa", method = RequestMethod.POST) @ ResponseBodypublic String initTwoFactorAuth (@ AuthenticationPrincipal LoginAuthenticationToken token) {User user = getLoggedInUser (token); GoogleAuthenticatorKey googleAuthenticatorKey = googleAuthenticator.createCredentials (); / / note-preferably encrypt it with an externally stored (or even HSM) key user.setTwoFactorAuthKey (googleAuthenticatorKey.getKey ()); dao.update (user); return GoogleAuthenticatorQRGenerator.getOtpAuthURL (GOOGLE_AUTH_ISSUER, email, googleAuthenticatorKey) RequestMapping (value = "/ confirm2fa", method = RequestMethod.POST) @ ResponseBodypublic boolean confirmTwoFactorAuth (@ AuthenticationPrincipal LoginAuthenticationToken token,@RequestParam ("code") int code) {User user = getLoggedInUser (token); boolean result = googleAuthenticator.authorize (user.getTwoFactorAuthKey (), code); user.setTwoFactorAuthEnabled (result); dao.update (user); return result;} @ RequestMapping (value = "/ disable2fa", method = RequestMethod.GET) @ ResponseBodypublic void disableTwoFactorAuth (@ AuthenticationPrincipal LoginAuthenticationToken token) {User user = getLoggedInUser (token) User.setTwoFactorAuthKey (null); user.setTwoFactorAuthEnabled (false); dao.update (user);} @ RequestMapping (value = "/ requires2fa", method = RequestMethod.POST) @ ResponseBodypublic boolean login (@ RequestParam ("email") String email) {/ / TODO consider verifying the password here in order not to reveal that a given user uses 2FA return userService.getUserDetailsByEmail (email). IsTwoFactorAuthEnabled ();}

The QR code generates a service that uses Google, which technically also provides a key for Google. I suspect they store it in addition to generating QR codes, but if you don't trust them, you can implement your own QR code generator, and it shouldn't be difficult to generate your own QR code.

On the client side, it's a simple AJAX request to the above methods. (side note: I kind of think the word AJAX is out of fashion, but I don't know how to call them. Asynchronous? Background? Javascript? ).

$("# two-fa-init") .click (function () {$.post ("/ user/init2fa", function (qrImage) {$("# two-fa-verification") .show (); $("# two-fa-qr") .prepend ($(')

', {id:'qr',src:qrImage})); $("# two-fa-init"). Hide ();}); $("# two-fa-confirm") .click (function () {var verificationCode = $("# verificationCode"). Val (). Replace (/ / g two-fa-verification') $.post ("/ user/confirm2fa?code=" + verificationCode,function () {$("# two-fa-verification"). Hide () $("# two-fa-qr") .hide (); $.post ("Successfully enabled two-factor authentication", "success"); $("# two-fa-message") .html ("Successfully enabled");}); $("# two-fa-disable") .click (function () {$.post ("/ user/disable2fa", function (qrImage) {_ window.location.reload ();});})

The login form code depends largely on the existing login form you are using, but the point is to use email (and password) to call / requires2fa to check if 2FA is enabled, and then display the CAPTCHA input.

In general, if the implementation of two-factor authentication is simple, I recommend it for most systems, where security is more important than the simplicity of the user experience.

That's all for "how to enable two-step validation for WEB applications in Java". Thank you for reading. If you want to know more about the industry, you can follow the industry information channel. The editor will update different knowledge points for you every day.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.