...
The SMS Authentication plugin exists in 2 variants; dk.itp.security.authentication.googleauth.GoogleAuthAuthenticationPlugin which contains the logic for registering secrets and generating QR codes containing them, and a concrete implementation called dk.itp.portalprotect.useradmin.server.GoogleAuthUAAuthenticationPlugin which retrieves data from the Ceptor User Administration Server.
Configuration
There is no configuration required for The following configuration options exist for dk.itp.security.authentication.googleauth.GoogleAuthAuthenticationPlugin which handles the secret generation and TOTP code verification.
Property | Value | Description |
---|---|---|
totp.hashalgorithm | SHA1, SHA256 or SHA512 Default: SHA1 | Specify the Hmac Algorithm to be used for verifying keys - note that some authenticators (including Google Authenticator only supports SHA1 so choose this with care. Also note that even though SHA1 might be vulnerable, HmacSHA1 is not. |
totp.issuer | Issuer name | Name of issuer - which is added to QR code - displayed by authenticator app |
totp.period | Time period in seconds Default: 30 | Specify the time period between generating new codes - note that this is highly dependant upon the individual Authenticator app that is used if it works or not - Google Authenticator only supports 30 seconds. |
totp.digits | Digis in code Default: 6 | Number of digits in the code that the authenticator app should show. Note that google authenticator only supports 6 digit codes, so use with care. |
totp.windowsize | Integer Default: 3 | Number of time periods to allow before or after the current time - setting this to 3 with a period of 30 seconds allows for clock skew between authenticator device and server of 90 seconds before or after current time. Usually 3 is a sensible value. |
totp.secretsize | Integer Default: 20 | Size of generated shared key - older versions of google authenticator seems to only support 10 characters / 80 bits - a more secure value is 20 characters which is 160 bits. Must be multiple of 5 to work properly with Base32 encoding, you should in general use 20 and only revert to 10 for compatibility reasons. |
When using the version of the Google authentication plugin that uses the useradmin database; dk.itp.portalprotect.useradmin.server.GoogleAuthUAAuthenticationPlugin the following configuration properties exist in addition to the ones above:
Property | Value | Description |
---|---|---|
useradminservers | <url> Default: localhost:15000 | URL to useradmin server |
ua_userid | <userid> | Userid to use when authenticating to useradmin server |
ua_password | <password> | Password to use when authenticating to useradmin server |
useridpassword.autounlockminutes | <value in minutes> Default: 0 | If nonzero, and user was automatically locked due to too many failed password attempts, he will automatically be unlocked after the specified number of minutes. |
useridpassword.maximuminvalidpasswordattempts | <number> Default: 0 | If nonzero, and if invalid login attempts reaches this limit, the user is automatically locked. |
...