Company: Link Technologies
Case No: L12081. Project: 12.40: LinkSOFT Version 12.40 - 12.41
Logged By: Sanjay (Link Technologies) on 09 Nov 2020 08:52AM
Priority: Medium
Product: Framework
Group: New Feature
Time Taken: 21.00 (Weight: 21.00)
Version: 12.40
Assigned To: Sanjay (Link Technologies)
Circulation: Alvis, Development, Rashna, Sanjay
Resolve By: Sunday, 30 May 2021 11:59 PM [1473 days since logged date]
Status: Closed
Subject: Add two-factor authentication to Linksoft web as it can be configured to be accessed from external networks
Summary:    

To strengthen security, we need to add another factor into the authentication system.

We intend to implement the following second factors into the authentication system:

  1. Email a security code
  2. Microsoft Authenticator
  3. SMS Authenticator

In version 12.40, we will implement Email Authentication as the second factor, followed by 2 and 3 in future versions. 

Design:

  1. When a user registers, we have a checkbox that will allow the user to select if Email authentication is enforced
  2. Administrators will be able to Enable/Disable the second-factor authentication
  3. Once the second-factor authentication is enabled, only the Administrator can disable 
  4. Two-factor authentication will not be implemented on POS as this is an on-premise system that is not accessible from external networks.
Audit Notes:Edited by sanjay on 14/04/21 13:41. Edited by sanjay on 14/04/21 13:40. Edited by sanjay on 14/04/21 13:39. Edited by sanjay on 12/04/21 14:51. Edited by alvis on 25/02/21 10:49. Edited by sanjay on 25/02/21 10:31. Edited by sanjay on 13/01/21 15:05. Edited by sanjay on 11/12/20 08:48. Edited by sanjay on 09/12/20 13:03. Edited by sanjay on 09/12/20 13:03. Edited by sanjay on 07/12/20 13:25. 
07 Dec 202008:31AM Comment 1 by Sanjay (Link Technologies) Case L12081 added to project 12.3
07 Dec 202001:25PM Comment 2 by Sanjay (Link Technologies) ETC was changed from 14/11/2020 to 14/11/2020
09 Dec 202001:03PM Comment 3 by Sanjay (Link Technologies) ETC was changed from 14/11/2020 to 31/12/2020
11 Dec 202008:48AM Comment 4 by Sanjay (Link Technologies) Case L12081 added to project 12.31
02 Feb 202105:31PM Comment 5 by Sanjay (Link Technologies) Assigned To: Development Followup Date: 30-05-2021 05:30 PM Notes: ETC extended from: 31/12/2020 to 30/05/2021
Allocated to Development in 12.4

25 Feb 202110:31AM Comment 6 by Sanjay (Link Technologies) ETC was changed from 30/05/2021 to 30/05/2021
15 Apr 202101:18PM Comment 7 by Sanjay (Link Technologies) Assigned To: Development Followup Date: 16-04-2021 01:11 PM Time Taken: 18.00
PART A - Development work for this case has been completed.

1. The change will be available in version:12.40.0415

2. The following changes were made(Include Database object names, Program classes, and any other relevant information):

  1. Completed Two Factor Authentication for Email. Microsoft Authenticator will be built once the concept of TFA via Email has been tested.
    1. Added a checkbox on the "Create New User" form that allows the user to tick a box that enables Two Factor Authentication
    2. Added a checkbox in the user maintenance form to "Enable/Disable" two-factor Authentication
    3. When a user logs in, if Two Factor Authentication is enabled, after successful User name and Password verification, the user will be redirected to a "Second" factor authentication page, where the user will be required to enter a security code that was sent to the users Registered Email address.
    4. Authentication codes are valid for 20 minutes
    5. User will be required to enter second-factor authentication on every login. We have not built the functionality to "Remember" or "Disable" second-factor authentication, however, the Administrator can turn this on/off bu user.

3. Affected Areas:

  1. User Login
  2. Create new user

4. The issue was caused by:

  1. New Functionality for Security

5. Notes
6. Next Step (Review and System Test (Developer) -> UAT (Quality) -> Documentation): UAT

----------------------

PART B - Development Reference (Place descriptor for objects changed):

1. Changes implemented was according to the approved design (Y/N):Y

2. Other relevant notes:


19 Apr 202103:19PM Comment 8 by Sanjay (Link Technologies) Assigned To: Rashna (Edge Business Solutions) Followup Date: 20-04-2021 03:19 PM
Hi Rashna, proceed with UAT

19 Apr 202104:54PM Comment 9 by Sanjay (Link Technologies) Assigned To: Rashna (Edge Business Solutions) Followup Date: 20-04-2021 04:51 PM Time Taken: 1.00
QA Results
Tests carried out according to requirements specified on the case header

Test Results Summary

Table 1 - Summarised list of issues
NoTest DescriptionPass/Fail
1Enable TFA for user Alvis.Pass
2Login with user "Alvis". Verify OTP is sent to the email address
Pass
3Enter incorrect OTP and enter correct OTPpass

Environment Details

  1. OS version: Windows Server 2012
  2. Application version: 12.42
  3. Setup: Demo
  4. Server : 10.0.0.14
  5. Database: LINKSOFT-DEMO-124

Next Step

  1. For review

    20 Apr 202109:59AM Comment 10 by Rashna (Edge Business Solutions) Assigned To: Alvis (Link Technologies) Followup Date: 21-04-2021 09:39 AM Time Taken: 1.00
    QA Results
    Tests carried out according to requirements specified on the case header

    Test Results Summary

    Table 1 - Summarised list of issues
    NoTest DescriptionPass/Fail
    1

    Create two logins for users as below

    1. Garry - Enable TFA as No.
    2. Fred - Enable TFA as Yes.
    3. Validate that the above is updated on the user maintenance.
    		Pass
    2
    1. Login as Garry, the user should log in into LinkWEB.
    2. Login as Fred, TFA page should open for verifications.
      1. The system should email the OTP (470052) to Fred 
      2. Enter code 475002. This should not be allowed as it's invalid.
      3. Enter code 470052, the user should log in.
    		Pass
    3
    1. Disable TFA for Fred on "User Maintenance". User should be able to login in just by entering the password 
    		Pass

    Environment Details

    1. OS version: Windows Server 2012
    2. Application version: 12.40.0419RC1
    3. Setup: Demo
    4. Server : 10.0.0.14
    5. Database: LINKSOFT-DEMO-124

    Next Step

    1. For Documentation

      20 Apr 202109:59AM Comment 11 by Rashna (Edge Business Solutions) Assigned To: Sanjay (Link Technologies) Followup Date: 21-04-2021 09:59 AM
      Case added to documentation

      20 Apr 202110:50AM Comment 12 by Alvis (Link Technologies) Assigned To: Sanjay (Link Technologies) Followup Date: 21-04-2021 10:28 AM Time Taken: 1.00
      documentation completed

      21 Apr 202101:07PM Comment 13 by Sanjay (Link Technologies) Assigned To: Sanjay (Link Technologies) Followup Date: 22-04-2021 01:07 PM
      Thanks Rashna and Alvis

      If you have any queries regarding this support incident, please email admin@linktechnologies.com.au and include the Case No: L12081 in the subject line of all emails regarding this issue.

      Document size: 12.4 KB
      For call complaints, please contact the Managing Director of the company using this form