1 2 3 Previous Next 85 Replies Latest reply on Feb 7, 2017 8:53 AM by jormond

    A Conversation About '2 Factor Authentication'

    jormond

      Security is always a big topic when it involves data, or people, or possessions. Recently, over on the FileMaker Community, there was a very beneficial discussion regarding security. Unfortunately, that discussion was the victim of a necessary action...and was deleted. It was deleted, because the discussion was tied to a video that, as was determined throughout the thread, was not beneficial to the overall community of FileMaker users and developers. When that video was removed, the discussion vanished with it.

       

      This post is specifically targeted at recompiling that discussion, because at it's core represents an important message that is necessary to convey and support. That is, creating ersatz security systems can introduce security vulnerabilities. In my experience, I have only seen 1 (one) approach that increased security while adding a 2nd factor of authentication. And it was complicated and not easily set up...and in the end, comes with it's own set of drawbacks.

       

      One of the main things I took from the attached discussion ( and it's a long discussion!! ), is this: What is the point of attempting to add a layer of security that does NOT increase security?! If the approach does not INCREASE security, why would you market the approach as a security technique?! The answer to that is the reason why the video that launched the discussion was deleted.

       

      While I had much internal debate about the best way to republish the info from this discussion, in the end I decided ( with much input from others ), that just posting the discussion in it's entirety was the best thing. And in doing so, know I have, as do those that gave their input, nothing but respect for all those involved in the discussion. So that is what follows.

       

      One very important note: the discussion is one of learning. And I truly believe that no one involved in the discussion came out looking 'bad'. One could say, 'well yeah Josh, you didn't end up being wrong in the thread, so you don't care'. I assure you, I have been wrong in MANY discussions. In fact, I had a similar discussion with Wim Decorte in another thread several months before this one. As I researched, and tested...I learned not only was I wrong, I learned I NEEDED to change something in my development. Without any further introduction, attached is a PDF of the thread.

        • 1. Re: A Conversation About '2 Factor Authentication'
          jbrown

          Hi Josh.

          Thanks for this. I was searching for security posts the other day and couldn't find this one.

           

          The forum is great for getting questions answered, but even more valuable, in my opinion, is that I get to watch the discussion of seasoned FileMaker pros and learn from what they bring up. I often will save out the entire conversation, as you attached here, and highlight what is valuable. By reading the conversation, I learn many different perspectives on the issue, and I get a sense of how an individual does things.

          • 2. Re: A Conversation About '2 Factor Authentication'
            CarstenLevin

            First of all: Thanks to Joshua for restarting this in an orderly and structured way.

             

            And then just as an upstart a few inputs from Joshua here and from the discussion:

            • Joshua:"creating ersatz security systems can introduce security vulnerabilities"
            • Joshua: "What is the point of attempting to add a layer of security that does NOT increase security?"
            • By Wim in the discussion: "To be very clear: it is NOT true 2-factor authentication since it relies on the user already been authenticated and allowed into the solution before the 2nd factor comes into play..."

             

            This is probably, so far the main points of the discussion.

             

            From a definition of two way authentication:

            These components may be something that the user knows, something that the user possesses or something that is inseparable from the user.

             

            In the FileMaker standard model we are using two things the user knows (login and password), and only one of them is assumed to be secret and is encrypted and not retrievable.

             

            The Danish "Nem ID" is using this model:

            • Identity: Your username (set up by your self, but not very secure, you could use your personal security number, your name, your email).
            • What you know: Your password, supposed to be secure.
            • What you have: A control number. You get one number and this corresponds to another number you have to return. Each number can be used once and only once. You have a card with numbers/contracodes or an electronic unit giving it. You get a new card when the old one is nearly used. Only you are supposed to have this card and it can not be used without your secret code.

            Fingerprint or other specific items you can not be separated from can count as "What you have".

             

            Could this be the conclusion?

            If two way authentication is introduced in FileMaker it must be enabled "before getting into FileMaker". Thus the conclusion is that it is something only FileMaker can deliver?

            Or am I to fast here?

             

            Best regards,

            ...and once again thanks, good morning reading to go through the original the PDF with the discussion. Parts of it is a little bit difficult to comprehend without the video ... or maybe it is just because I am curious


            Carsten


            Some definitions: Two-factor authentication - Wikipedia, the free encyclopedia

            And ... do also watch this very interesting movie about the fundamental actions to secure a FileMaker solution: https://www.filemakermagazine.com/videos/protecting-filemaker-files

            • 3. Re: A Conversation About '2 Factor Authentication'
              CarstenLevin

              Clarification: "Nem ID" is the single Danish login for all citizens. Defined an supplied by the state and enforced as the single login to everything within the state/local authority, all banks, insurance companies and much much more. It is also used to identify a person uniquely as an employee at a hospital and other crucial affiliations. Private companies can even be allowed to use it for verification.

               

              One single sign on for all Danes to most web services by very large companies, state, health care, tax etc.

              • 4. Re: A Conversation About '2 Factor Authentication'
                jormond

                Thank you for the input CarstenLevin.

                 

                2 Factor Authentication is available now. By means of external authentication. ActiveDirectory, OpenDirectory, and the often forgotten server side local user accounts and groups ( though it's not as easy with those local user accounts, IMO ).

                 

                But continuing to support the Product Ideas space is important here. Especially for native 2FA, we need FileMaker, Inc's help with that. Keep discussions rolling in the Product Ideas space, and voting them up. The Product Managers ARE diligently watching that space. Even if they don't respond. It is their primary source of feedback from us as a community.

                • 5. Re: A Conversation About '2 Factor Authentication'
                  sreese

                  I wonder if you are talking about the same thread with Wim that I am thinking. I really appreciate his expertise, and the headache he endured being at odds with me about it. I came out much better for that discussion that is for certain.

                   

                  I whole heartily agree that ersatz isn't really its own security. We still have some in our solution, but we know the risks of that and understand the average user won't get past them. We are using external authentication now to provide a much more solid base for security - ie no auto login account. It is on my agenda to get rid of as much of the ersatz security as I can, we just are not there yet. I'm looking forward to listening to some of the security stuff at DevCon too.

                   

                  I'm always looking for a better way. A true 2 factor solution would be awesome.

                  • 6. Re: A Conversation About '2 Factor Authentication'
                    jormond

                    sreese - Probably talking about the same thread in that dicussion with wimdecorte.

                     

                    It's always a pleasure to be schooled on something so important. It makes all of us better developers.

                    • 7. Re: A Conversation About '2 Factor Authentication'
                      wimdecorte

                      sreese wrote:

                       

                      I wonder if you are talking about the same thread with Wim that I am thinking. I really appreciate his expertise, and the headache he endured being at odds with me about it. I came out much better for that discussion that is for certain.

                       

                       

                       

                      I really was one of the most valuable discussions on this forum; thanks for being a part of it and asking the challenging questions.

                      • 8. Re: A Conversation About '2 Factor Authentication'
                        sreese

                        wimdecorte wrote:

                         

                        I really was one of the most valuable discussions on this forum; thanks for being a part of it and asking the challenging questions.

                         

                        At the time I felt like I was asking the annoying questions. I just desperately wanted to figure it out. I wasn't going to let it go until I understood it.

                        • 9. Re: A Conversation About '2 Factor Authentication'
                          DavidJondreau

                          I believe it's possible to implement 2 factor authentication in Filemaker with EA. I can think of two ways. Using a separate file to authenticate or using a very limited privilege set for everyone. I'll put together a sample file.

                           

                          David

                          • 10. Re: A Conversation About '2 Factor Authentication'
                            DavidJondreau

                            I take this back. I forgot about one critical issue.

                             

                            In short, if you have server side plugins and someone has fmapp access to your file (by having a username/password or Guest access) then that person potentially has a lot of power over your file and your server. I'd need to think some more on whether such issues exist without server side plugins. I'm not sure.

                             

                            I think there are technical solutions FMI could implement to handle some of this...sandboxing administrative groups, limiting the number of files FMS can host, etc, but it seems like FMI is choosing legal route to a technical problem for now.

                            • 11. Re: A Conversation About '2 Factor Authentication'
                              taylorsharpe

                              Yes, we did have quite a discussion about it and it was a good in that I learned some things.  Two factor authentication is a big part of future computing security.  We can do a light version of it in FM that does add security, but it is not bullet proof.  Then again, almost all security has some vulnerability.  My hope is that FM will build in better tools for multi-factor authentication in the future.  I personally am using two-factor authentication by email or sms text messaging and verifying persistent id's for a number of clients as a way to improve security.  But I would welcome better tools directly from FM. 

                               

                              One big failing I had in last fall's discussion was in setting up the test database, I did not protect from File Access because the purpose of the file was showing two factor authentication.  Several people took advantage of this to discount the to factor authentication and they were smart in what they did.  But it was used to discount two factor authentication whereas I saw it more of a different vulnerability with File Access settings that if I had not left as default, it would not have been accessed.  My bad for not doing all of the normal security I do on production environments and ate crow for it.  However, it was good to have me reminded that security requires due diligence all the way through. 

                               

                              My opinion is that effective two-factor authentication can be implemented in FM 14 via scripting and security controls.  Some people discount it because it is not perfect.  Then again, Active Directory is not bullet proof and has been hacked, but we don't discount it as a valuable security tool.  We just need to properly set it up and keep security patches installed timely.  No security control stands on its own and a good security plan has many layers of security. 

                               

                              I hope there will be a good presentation on security at Devcon to talk about this and the direction of FileMaker security. 

                               

                              Thanks for reposting, Josh. 

                              • 12. Re: A Conversation About '2 Factor Authentication'
                                jormond

                                While the File Access setting was one way in...as I told Richard when we spoke on the phone...there are several other ways to access and manipulate the data.

                                 

                                Here is the thing, it's not related to "Authentication". Authentication happens before the person is in the file. Authentication is what decide if a person can get into the file. If they are in the file after 1 factor...it is not 2FA.

                                 

                                The reason I said it doesn't 'add' security, is because it doesn't.

                                1. If the privilege set is properly tuned, an unauthenticated user can't access the file or data. Multi-factor authentication is good to test either the machine, or something else the actual user has access to. ( still has to happen before they are authenticated into the file )
                                2. If the privilege set is not tuned properly, and allows access to the data, nothing is safe. A user in the file has full access to the data, whether you are trying to stop them via script or not.

                                 

                                • Scenario 1 - the added value comes in when someone gives out, or posts their password somewhere that is not secure.
                                • Scenario 2 - because the user is already in the file, that method of 2FA doesn't stop anything. I added my own access without using the 'File Access' option...and while your script was supposed to be running. So there is nothing added in this scenario.

                                 

                                Fact: You can NOT guarantee that a script will complete, or even run at all.

                                 

                                Using this method to audit access is one thing. But it is not an 'authentication' feature. And we clearly arrived at that conclusion in that thread. If you add the private conversation that went on behind the curtains, it was even more clear that there are multiple ways to access that data despite scripted attempts to block the user.

                                 

                                I don't really want to beat a dead horse, but I think it needs to be stated...this attempt can not be called 2 Factor Authentication...nor does it 'add' to the security.

                                • 13. Re: A Conversation About '2 Factor Authentication'
                                  taylorsharpe

                                  Authenticate:  "to prove that something is real, true, or genuine : to prove that something is authentic".  Merriam Webster.

                                   

                                  You have redefined Authentication to be only what FileMaker tools give you and that once a single step is done, anything past that is not authentication, specifically saying that a running script that has met a first security control is now fully authenticated, which is not true in a two factor authentication. 

                                   

                                  Using Merriam Webster, I'm counting all levels of authentication that gets the user to the initial user interface and has had to meet various security control challenges.  Just because you get past one control does not invalidate other controls. 

                                   

                                  Your assumptions are that the privilege sets are not configured properly so that you can hack in with other vulnerabilities to claim two factor authentication does not work.  My assumption is that in a properly configured two factor authentication, you properly configure the privileges as well as File Access.  You have changed the security topic to issues with other types of vulnerabilities to knock the two factor authentication.  Security is a collection of all levels of security and just because there is a weakness in any level does not dismiss another security control.

                                   

                                  I agree that you cannot guarantee that a script will complete or run, but it sure makes it harder for a hacker to take control if they have to find a way around a two factor authentication script that is properly designed.  Therefore it is adding security in that it is making is more difficult for a hacker.

                                   

                                  I agree, lets don't beat a dead horse because it is an accepted standard in computer security that two factor authentication adds security and is in the future of computer security. Yes, it would be nice to have better built in controls by FileMaker.  But until then, we have a security control that can be configured to use other factors such as persistent ID, email, or SMS Text messaging. 

                                   

                                  I want to emphasize that your claim about FM two factor authentication scripting does not add security is like having a lock on a gate in front of your property.  Yes, a bolt cutter can cut through it.  But it is going to keep out most people AND it is not replacing your burglar alarm and security cameras, etc.  It is adding security. 

                                   

                                  It is good to talk about the ways to properly make a security control that makes it stronger.  But even authentication by user ID and password is not a full proof control, but we do not dismiss it because it is not perfect, and neither should we dismiss an additional security control. 

                                   

                                  By having a second factor authentication, my clients know that they have an additional security control that keeps someone whose user ID and password gets stolen from using a non-authorized office computer from getting into their database solution.  And just like user IDs and passwords can get stolen, the 2nd security control is not perfect, but together, they make a more robust security system. 

                                   

                                  As noted before, the two factor authentication filemaker script requires that all other security controls be properly configured for it to be an effective additional security control. 

                                  • 14. Re: A Conversation About '2 Factor Authentication'
                                    Mike_Mitchell

                                    Diving in here ...

                                     

                                    One of the requirements being bandied about here (government) is that developer accounts require 2FA. This exposes the issue Josh is referencing: If a user logs into the database with [Full Access]; no scripted solution will stop him from getting to anything he wants - merely by turning on the Script Debugger prior to opening the file. Halt the script, and presto! No additional authentication takes place.

                                     

                                    Hence, the second level of authentication is easily bypassed by someone who knows how - and this is precisely the situation the requirement is meant to address. What they're worried about is a developer's credentials being hacked and the hacker having access without the second level of security. Any script-based "solution" won't fix it; it has to be fixed before the file is entered.

                                     

                                    HTH


                                    Mike

                                    1 2 3 Previous Next