July 28th, 2021 by Adam Sandman
Security is always a critically important topic, and if you have been following the news recently, it seems there is a different cyber attack every week. Having a well-developed cyber security program is a must, and as part of that, it is important that multiple layers of defense are employed to prevent a potential cyber-attack or data breach. Therefore, we are pleased to announce that we have just upgraded the Inflectra website to support Multi-Factor Authentication (MFA), also known as 2-factor Authentication (2FA) and that similar functionality will be coming very soon to SpiraTest, SpiraTeam, and SpiraPlan.
What is Multi-Factor Authentication?
Multifactor authentication (MFA) is a security technology that requires multiple authentication methods from independent categories of credentials to verify a user's identity for a login or other transaction. Multifactor authentication combines two or more independent credentials: what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.
MFA aims to create a layered defense that makes it more difficult for an unauthorized person to access a target, such as a physical location, computing device, network, or database. If one factor is compromised or broken, the attacker still has at least one or more barriers to breach before successfully breaking into the target.
Our Approach to MFA
Our plan at Inflectra is to provide two independent methods for authenticating users; hence, it is also an example of Two Factor Authentication (2FA). The methods we are using are as follows:
- Something You Know—A complex, difficult-to-guess password that is not reused across multiple accounts is the authentication we currently use on our website and in our Spira platform.
- Something You Have—We are adding support for Google Authenticator-compatible Time-based One-Time Passwords (TOTP). These six-digit randomly changing number codes can be generated by a hardware device or a software application running on a device that you own, such as a cellphone. This is an example of a "software-based security token application."
Many password managers (for example, 1Password) include Google Authenticator TOTP generation tools as part of their platform. We will refer to this as simply the "authenticator application" in the rest of this article.
Multi-Factor Authentication in Spira
We plan on adding MFA to one of the upcoming releases of SpiraTest, SpiraTeam, and SpiraPlan. We are currently targeting our August 2021 release (v6.11), but it is still in testing as I write, so it might end up in v6.12.
For Spira customers, the option to add MFA will be available for all users using either Spira native authentication (login and password) or LDAP/Active Directory authentication. It will not be available for users using OAuth-based Single-Sign-On (SSO) accounts, as those providers should provide the MFA functionality themselves.
To add MFA to your Spira account, you will need to log into Spira as usual and then click on the 'Add 2-Step Authentication' option on the User Profile page:
Once you have clicked on this link, you will be taken to the screen to configure MFA:
You should scan the QR Code with your authenticator application and save the TOTP generator key inside the application.
To verify that the QR Code was successfully scanned, use the authenticator application to generate a sample 6-digit code, enter it in the box, and click Submit.
Once that has been successfully entered, you will see the legend in your user profile change to look like the following:
You can now log out from Spira. When you next try to log in, you will now be asked for:
- Your Spira login
- Your Spira password
- Your one-time password
If you want to change or remove the MFA information, you can use the 2-Step Authentication Settings link on the User Profile page:
This can be useful when you have to replace your mobile device with a new one (for example). That will require you to generate a new TOTP side for this new device.
Multi-Factor Authentication on our Website
Our company website has already been upgraded with the new MFA functionality for all users.
To add MFA to your Inflectra customer account, simply log into your customer account as normal and then click on the 'Add 2-Step Authentication' option in the sidebar:
Once you have clicked on this link, you will be taken to the screen to configure MFA:
You should scan the QR Code with your authenticator application and save the TOTP generator key inside the application.
To ensure that the QR Code was successfully scanned, use the authenticator application to generate a sample 6-digit code, enter it in the box, and click Submit.
Once that has been successfully entered, you will see the sidebar in your customer portal change to look like the following:
You can now log out from the Inflectra website. When you log in, you will now be asked for:
- Your Inflectra login
- Your Inflectra password
- Your one-time password
If you want to change or remove the MFA information, you can use the 2-Step Authentication Settings link on the Customer Area Page:
This can be useful when you have to replace your mobile device with a new one (for example). That will require you to generate a new TOTP side for this new device.