Coming Soon to Spira - Multi-Factor Authentication (MFA)
July 28th, 2021 by inflectra
Security is always a critically important topic, and if you have been following the news recently it seems there is a different cyber attack every week. Having a well developed cyber security program is a must, and as part of that, it is important that multiple layers of defense are employed to prevent a potential cyber attack or data-breach. Therefore we are pleased to announce that we have just upgraded the Inflectra website to support Multi-Factor Authentication (MFA) also known as 2-Factor Authentication (2FA) and that similar functionality will be coming very soon to SpiraTest, SpiraTeam, and SpiraPlan.
What is Multi-Factor Authentication?
Multifactor authentication (MFA) is a security technology that requires multiple methods of authentication from independent categories of credentials to verify a user's identity for a login or other transaction. Multifactor authentication combines two or more independent credentials: what the user knows, such as a password; what the user has, such as a security token; and what the user is, by using biometric verification methods.
The goal of MFA is to create a layered defense that makes it more difficult for an unauthorized person to access a target, such as a physical location, computing device, network, or database. If one factor is compromised or broken, the attacker still has at least one or more barriers to breach before successfully breaking into the target.
Our Approach to MFA
Our plan at Inflectra is to provide two independent methods for authenticating users, hence it is also an example of Two Factor Authentication (2FA). The methods we are using are as follows:
- Something You Know - A complex, difficult to guess password that is not reused across multiple accounts. This is the authentication we currently have on our website and in our Spira platform.
- Something You Have - we are adding support for Google Authenticator compatible Time-based One Time Passwords (TOTP). These six-digit randomly changing number codes can be generated by a hardware device or a software application running on a device that you own such as a cellphone. This is an example of a "software-based security token application".
Many password managers (for example 1password) include Google Authenticator TOTP generation tools as part of their platform. We will refer this as simply the "authenticator application" in the rest of this article.
Multi-Factor Authentication in Spira
We plan on adding MFA to one of the upcoming releases of SpiraTest, SpiraTeam, and SpiraPlan. We are currently targeting our August 2021 release (v6.11) but it is still in testing as I write, so it might possibly end up in v6.12.
For Spira customers, the option to add MFA will be available for all users using either Spira native authentication (login and password) or LDAP/Active Directory authentication. It will not be available for users using OAuth-based Single-Sign-On (SSO) accounts as those providers should be providing the MFA functionality themselves.
To add MFA to your Spira account, you will simply need to log into Spira as normal and then click on the 'Add 2-Step Authentication' option on the User Profile page:
Once you have clicked on this link, you will be taken to the screen to configure MFA:
You should scan the QR Code with your authenticator application and save the TOTP generator key inside the application.
To very that the QR Code was successfully scanned, use the authenticator application to generate a sample 6-digit code and enter it in the box and click Submit.
Once that has been successfully entered, you will see the legend in your user profile change to look like the following:
You can now log out from Spira. When you next try to log in you will now be asked for:
- Your Spira login
- Your Spira password
- Your one-time password
If you want to change or remove the MFA information, you can use the 2-Step Authentication Settings link on the User Profile page:
This can be useful when you have to replace your mobile device with a new one (for example). That will require you to generate a new TOTP side for this new device.
Multi-Factor Authentication on our Website
Our company website has already been upgraded with the new MFA functionality for all users.
To add MFA to your Inflectra customer account, simply log into your customer account as normal and then click on the 'Add 2-Step Authentication' option in the sidebar:
Once you have clicked on this link, you will be taken to the screen to configure MFA:
You should scan the QR Code with your authenticator application and save the TOTP generator key inside the application.
To very that the QR Code was successfully scanned, use the authenticator application to generate a sample 6-digit code and enter it in the box and click Submit.
Once that has been successfully entered, you will see the sidebar in your customer portal change to look like the following:
You can now log out from the Inflectra website. When you log in you will now be asked for:
- Your Inflectra login
- Your Inflectra password
- Your one-time password
If you want to change or remove the MFA information, you can use the 2-Step Authentication Settings link on the Customer Area Page:
This can be useful when you have to replace your mobile device with a new one (for example). That will require you to generate a new TOTP side for this new device.
roadmap spotlight security multi-factor authentication two-factor-authentication MFA 2FA
SpiraTest
SpiraTeam
SpiraPlan
RemoteLaunch
Rapise
KronoDesk
TaraVault
SpiraCapture
Cloud Services