Multifactor Authentication

Is it possible to use Multifactor Authentication in Triggre.

Hi Roland,
The native login procedure of Triggre does not support that yet, though I believe it is on their roadmap (@Jesse am I correct?).
It should be possible to implement SSO with a connection to AAD, then the Microsoft MFA will take care of this. I have never implemented this yet myself, but I do know you will need the people of Triggre to help you with it.
Also, I have built an MFA-like process for a client, that works well in practice and provides a similar level of security. This requires some explanation, so let me know if you are interested and I’ll be happy to share it with you.

I am interested, please send me some screenprints.

Hi @roland.huijser and @sylvester,

Indeed, natively we do not yet support two-factor-authentication, other than through Microsoft’s Active Directory Federation Services (ADFS), which is available in the Enterprise plan.

However, as @sylvester said, you can build something yourself that will do the trick. Here’s a plan on how to do it, taking into account recently released functionality such as the random number function:

Setting up

1. Create an extra role in your published application, e.g. Authenticated. This role will need to have access to all the functionality you want authenticated users to have access to.
2. Have the default role only be permitted to access the Start user flow (see below).
3. Add a date/time property to the User, called Last authenticated
4. Add a text property to the User, called Authentication code

Flow part - Authenticate user with 2FA

1. If the user’s Last authenticated is less than or equal to X hours ago, they are authenticated. As output of the flow part, Authenticated should be True.
2. Also, make sure to set the user’s Last authenticated to the current date and time.
3. If the user’s Last authenticated is over X hours ago, the result is False.

image1191×408 25.3 KB

Flow part - Generate 2FA code

1. Create a code, the easiest way is to use 1 calculation: MAKE ( RANDOM NR BETWEEN 100000 AND 999999 ) A TEXT. This gives you a 6 digit authentication code.
2. Store this number as the code for the user.
3. Send the code to the user by email (or SMS, using the Web API and Twilio for example)

image1343×264 17.8 KB

User flow - Start
Make a user flow that will always be the first user flow to be opened (place it in the first section, and first category of the appearance):

1. Start with the Authenticate user with 2FA flow part
2. If the user is authenticated, simply direct them to a start page, e.g. a dashboard page.
3. If the user is not authenticated, remove the Authenticated role from them, generate a 2FA code for them and direct them to a page where they can fill in their code.
4. After submitting the code, check the submitted code against the one in their profile.
5. If the code is incorrect, show an Authentication failed page, with only the option to Retry.
6. If authentication is successful, assign the Authenticated role, and then direct them to a Authentication successful page. This extra step is important, because assigning the role happens in the background. This means the entire menu will not yet show up on this first page.
7. From the success page, have 1 option, called Next. this leads to the regular start page.

image1389×825 55.4 KB

Further enhancements
You can make an automation flow that runs in the background every hour or couple of hours, to check users. This automation flow can then empty the last authenticated date for those users that are no longer authenticated. For performance, add a date/time property Automated log off. Set this date.

A second automation flow, with a data triggre, can then fire upon changing the Automated log off value. It should remove the Authenticated role. This will make sure that the application behaves a little bit nicer for people who have been logged out for a while and then log back in (the menu will not be visible for them, in this case).

Disclaimer
I quickly made this functionality off the top of my head without detailed testing, just to provide this example. I think I got it completely right, but then again, maybe I forgot a small thing. If that’s the case please let me know here, and I’ll update this post

Hope this is clear enough and works in your case!

Is it perhaps a suggestion to make this a Triggre template.

Hi @Jesse and @roland.huijser,
I’ve built it almost exactly like that, however I added a TTL (Time to live) value to the application settings, combined with a ‘Validated’ true/false and a ‘Valid until’ date/time in the user. When logging in, the procedure checks whether the user has already validated and if code is still valid, based on the ‘Validated’ and ‘Valid until’ value in the user. If still valid, the procedure will continue to the landing page, if not or if not validated, the authentication screen shows and a new code will be sent to the user.
The TTL can be set by a duration field in the Application settings.
It’s a bit of a different approach, but basically it is the same process.