Two factor authentication for end users

[Shuchi]

Hi,
I am working on an application where I need two factor authentication for my application's end users. I understand that this functionality is currently not available in Caspio Bridge, but I am thinking of creating a custom API in .Net for authentication using my SQL Server DB instance.
Is there any way possible that I can call this custom API in Caspio while authenticating a user?

[NailDyanC]

Hi,

In Caspio 15.0 you can now use two-factor authentication to enhance the security of your Caspio account by requiring a second level of verification during login. Make sure you enable two-factor authentication and start using your Caspio ID in parallel with the SMS or Google Authenticator codes whenever you access your Caspio account.

For more information, see Enabling two-factor authentication.

You can also refer to this link: https://howto.caspio.com/release-notes/caspio-bridge-15-0/ 

I hope that helps.  

[AnchovyXL]

On 11/22/2018 at 3:25 PM, NailDyanC said:

Hi,

In Caspio 15.0 you can now use two-factor authentication to enhance the security of your Caspio account by requiring a second level of verification during login. Make sure you enable two-factor authentication and start using your Caspio ID in parallel with the SMS or Google Authenticator codes whenever you access your Caspio account.

For more information, see Enabling two-factor authentication.

You can also refer to this link: https://howto.caspio.com/release-notes/caspio-bridge-15-0/ 

I hope that helps.  

This can only be applied to the Caspio Bridge User. If you want two-factor authentication for the end users, I think it is something that is not yet possible. What they have now is two type of authentication for end users. You can have them login using Google, Twitter and OpenID OR your Caspio-built authentication.

https://howto.caspio.com/authentications-and-connections/authentication/

[emarchewka]

I had a similar issue and did a workaround. Albeit, not perfect, it is functional.

I setup an OTP table to capture, email or mobile and then two fields, to auto fill the USERID from members table based on cascading text field in the datapage. There are two more fields, one with a auto gen 8 digit code, and one with a time stamp.

This table has a TA to put the code and time stamp in the members table.

My authentications then look at the email, password, and code from the members table.

I then have 4 tasks that run every hour in 15 min increments. These tasks clear the entries from the OTP table and nulls the code and timestamp in the members table based on the age of the time stamp.

I have a datapage that the user fills out before they sign in to generate their code. They can deliver it via EMAIL or SMS. Then they can sign into the app.

Hope this helps. Again, not perfect but it works.

[cheonsa]

I also had a workaround that I would like to share with you. 

Here are the objects in Caspio Bridge that  you need to perform the said workflow.
* Separate Table to generate the One-time password upon logging in.
* Submission form. (This will be a auto submit form.)
* Standalone Login Screen.
* Details DataPage for submitting the OTP.

Attached is a word document with steps and screenshots.

Hope this helps.

Two Factor Auth - User Level.docx

[vanderLeest]

On 3/29/2020 at 10:06 AM, LittleMsGinger said:

I also had a workaround that I would like to share with you. 

Here are the objects in Caspio Bridge that  you need to perform the said workflow.
* Separate Table to generate the One-time password upon logging in.
* Submission form. (This will be a auto submit form.)
* Standalone Login Screen.
* Details DataPage for submitting the OTP.

Attached is a word document with steps and screenshots.

Hope this helps.

Two Factor Auth - User Level.docx 466.92 kB · 10 downloads

Thanks so much LittleMsGinger,

Three questions:

1. Can you describe the whole process, and how these DataPages each play a roll?

2. What are the DataPages you point to as the value for window.location in the javascripts, for both the Acknowledgement Email  and  Standalone Login Screen?

3. How did you finish the Details Page (at step 6) ? Does direct to the original/intended destination page?

Floris

 

[vanderLeest]

Starting with LittleMsGinger's workaround (and using her validation trick based on virtual fields ), 
Dmytro from the helpdesk and I  came up with the following routine, which also  works for a Direct Deploy URL
(NB. Testing is best done via an incognito window of your browser, and by having a log-out page open.)

Two-Factor Authentication – Two Tables, Two DataPages

-->  An auto-submit Submission DataPage ‘Log_Auto_Form’ for tracking log-in records in the T_Log table. On entering an email and a standard password via a User Authentication, the Log_Auto_Form page emails a One-Time Password (OTP) - in the form of a Random ID created for the T_Log record - to the User, with auto-submit JavaScript (JS) for redirecting to:

--> A Single Record Update DataPage named ‘OTP_Validation’, that is based on the same T_Log table, with L_RecordID as its Unique ID field (and [@L_RecordID] as the Parameter name).

Table T_Log has six fields: L_RecordID and L_OTP as Random IDs - I choose different prefixes for each -, L_User_Email as Text, L_Tm_LogIn and L_Tm_LogOut as Date/Time and L_TimeStamp as a TimeStamp (on Insert).

User Authentication uses (at least) two fields of the T_Users table: U_Email and U_Password.

 

While you create the Submission Log_Auto_Form, tick the box for ‘On Exit, pass ID …’ on the Select Fields screen of the Web Form Wizard.

Select only L_User_Email as a field for the form. On load, receive the U_Email authentication field as the value for this field.

Add an HTML Block to the page - make sure it is always at the bottom of the DataPage Elements.
Copy and Paste the following JS script to auto-submit the form:

<script>

function f_submit() {

document.getElementById("caspioform").submit();

}

document.addEventListener('DataPageReady',f_submit);

</script>

Set ‘Go to a new page’ as the Destination of the Log_Auto_Form, paste the link to the OTP_Validation page in the URL field, and add a connect string with the L_RecordID of the T_Log table, which is the unique ID for the Single Record Update OTP_Validation page, for example  https://nnnnnnnn.caspio.com/dp/….?L_RecordID=[@field:L_RecordID]

In Messaging Options, enable an Acknowledgement Email that will send the One-time Password to the current User (U_Email), for example

“Your One-Time Password (OTP) is [@field:L_OTP].

This OTP is valid for one session and will expire 2 hours from now.”

 

In the OTP Validation page, only select the field L_Tm_Login, and add 3 virtual fields to the Datapage Elements. (The virtual fields are for LittleMsGinger’s validation trick below.)

Set the Form Element of L_Tm_Login to TimeStamp, which will automatically hide the field.
(NB. the time difference between L_Tm_Login and L_TimeStamp in the T_Log table is the time it takes the User to copy the OTP from their email to the page.)

Label Virtual2 as ‘One-Time Password’ and set it to Text Field (You can set the field width to the length of L_OTP, if you wish.)

Make Virtual3 a Calculated Value, set the Formula to 0, and tick Hide Field in the Advanced Options.

Make Virtual1 a Calculated Value, set the Formula to  CASE WHEN '[@cbParamVirtual2]' = '[@field:L_OTP]' THEN 1 ELSE 1/[@cbParamVirtual3] END,  and tick Hide Field in the Advanced Options.

The latter formula will throw an error (Division by 0,  which stops the record from being submitted) if the inserted OTP is not the same as the OTP for the current L_RecordID.

NB. For testing the functionality, do not hide Virtual1 and add L_OTP to the form.

Set ‘Go to a new page’ as the Destination of the OTP_Validation, paste the link to the first page the User needs to interact with in the URL field.

_____________________________________________________________________________

I hope this helps someone out there.

Let me know if you've found bugs or ways to enhance the routine.

 

Floris

[NiceDuck]

I Also want to suggest ths workflow,  I made this one before but I kindof forgot the details. I hope this helps

Email Authentication.docx

[Kazuba]

With a lot of thanks, like a tonne of thanks to both LittleMsGinger and vanderLeest, I simply wish to say that the solution works BUT for me the form (Log_Auto_Form) could re-submit itself many times on every log-in attempt.

Eventually, I discovered a solution from another topic on this Community by Hastur posted Posted June 13, 2019. The link is https://forums.caspio.com/topic/8897-auto-submit-a-form-to-track-user-page-views/

The said solution is:

 

<script type="text/javascript">
document.addEventListener('DataPageReady', function () {
 let submissionForm = document.querySelector('form[action~="your_deploy_url"]');
 submissionForm.style.display = 'none';
 setTimeout(
   function() {
     submissionForm.submit();
   }, 1000);
});
</script>

Mind to set the your_deploy_url accordingly.

Plea: If you discover a better solution please share. I really need a solid two-factor-auth for my app.

Thank you

[ParkLoey]

Hello everyone! Just wanted to inform you that Caspio introduced Directories (BETA) on their recent release. This enables end users to have two-factor authentications. You may check more information about the release here:
https://howto.caspio.com/release-notes/caspio-34-0/caspio-34-0/

[imJihyo]

Heyaa! Dropping Caspio's article all about Directories here as well:

https://howto.caspio.com/directories/directories-overview/directories-overview/

- Jihyo ♥