mPass MFA High Level Design
Introduction
The mPass authentication server (AS) is an OATH compliant comprehensive solution for enabling Multi-Factor Authentication (MFA) for enterprise applications such as VPN Systems, Outlook Web Access, Active Directory Federation Services (ADFS), Windows/Linux systems or any internally developed applications. mPass AS enables strong authentication via OATH based One Time Passwords (OTP) via SMS and Mobile apps.
Purpose
This HLD article presents the structure of the mPass system, such as the database architecture, application architecture (layers), application flow (Navigation), and technology architecture. The HLD uses non-technical to mild technical terms which should be understandable to the technical/non-technical personnel.
Solution Overview
The mPass solution is comprised of several different components. Each component will be deployed based on the project requirements. The mPass authentication server (AS) is the primary and central component of mPass solution.
mPass includes five major parts: the architecture, the user interface design, external interface, the database, process relation, and automation. illustrated as follows:
Solution Architecture
Following are the various modules of the mPass solution to facilitate MFA for enterprise applications.
Subsystem Name | Primary Function/Role |
mPass Administration Portal | Web-based application for MFA management for the mPass administrators |
mPass User Portal | Web-based application for enterprise users to enroll mobile authenticator app |
Soft token mobile applications | Android and iOS based mobile apps to generate Timebased One-Time passwords (OTP) |
mPass OWA | mPass Agent for Outlook Web Access to enable MFA during login |
mPass Windows | This component will enable MFA for Microsoft Windows |
mPass Linux | This component will enable MFA for popular Linux Variants such as Ubuntu, Redhat and CentOS |
mPass RADIUS | mPass RADIUS server will provide authentication services along MFA for RADIUS clients such as VPN gateways, firewall authentications etc. |
mPass ADFS | mPass Active Directory Federation Services (ADFS) will enable MFA services for Microsoft Server ADFS |
mPass Web API | The Web API facilitates MFA for any custom developed applications via standard HTTP interface. |
SAML 2.0 Services | The mPass SSO 2.0 component acts as a SAML 2.0 compliant Identity provider and also enable MFA during authentication. |
Channels | Channels are like application firewalls which control integration between enterprise systems/applications |
Policies | Policies are a set of rules to control the authentication process |
Tokens management | Tokens are virtual components which are bound to the enterprise users. These components are used to generate OTPs during authentication process |
Users Module | The users module manage the users details relevant to MFA authentication. |
Technology architecture
Following are the various technologies/programming components considered to build the mPass solution and its components.
Layer | Considered Programming frameworks/libraries |
Front End | XHTML, CSS, Java Script, ASP.NET |
Mobile Apps | Android (Java) and SWIFT |
Backend End | Java, Spring, Spring security |
Application Runtime | JRE 1.8 and above and Wildfly |
Database Platform | SQL Server/Postgres SQL/My SQL |
OS Platform | Windows Servers, Linux |
Component Technologies | C#, .NET runtime, C and C++ |
Standards/Algorithms
Following are the various standards/algorithms adopted across various components to build the mPass solution.
OATH | Initiative for Open Authentication (OATH) is an industrywide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. It has close to thirty coordinating and contributing members and is proposing standards for a variety of authentication technologies, with the aim of lowering costs and simplifying their functions |
HOTP and TOTP | HMAC based One Time Passwords and Time based One Time passwords. Algorithm specifications to generate One Time passwords. |
PSKC | Portable Symmetric Key Container specifies a symmetric key format for the transport and provisioning of symmetric keys to different types of crypto modules. |
RSA with SHA 512 | Algorithm to generate Public private keys |
SAML 2.0 | To exchange user and token information in a SSO based integrations |
BCrypt | BCrypt strong hashing function. Clients can optionally supply a "version" ($2a, $2b, $2y) and a "strength" (a.k.a. log rounds in BCrypt) and a SecureRandom instance. The larger the strength parameter the more work will have to be done (exponentially) to hash the passwords. The default value is 10. |
Process Design
Following is the depiction of the cross cutting mPass components across the various MFA requests from mPass components.
User interface
The user interface is a typical web application called the mPass administration portal. It is used to manage mPass artifacts such as Channels, Policies, Users and backend configurations.
Apart from the administration portal, another web application should be provided for enterprise users to activate and test the mobile based application.
User Portal
Error Handling
Should errors be encountered, an explanation will be displayed as to what went wrong. An error will be defined as anything that falls outside the normal and intended usage.
The error logs should be accessible from the following sources:
- Administration portal console
- Server Logs
- External syslog systems
© 2024 Cerebra All Copyrights Reserved
Related Articles
What is mPass MFA?
Introduction The mPass MFA is an OATH compliant comprehensive solution for enabling Multi-Factor Authentication (MFA) for enterprise applications such as VPN Systems, Outlook Web Access, Active Directory Federation Services (ADFS), Windows/Linux ...mPass MFA User Guide
Introduction The mPass authentication server is an OATH compliant comprehensive solution for enabling multi-factor authentication for enterprise applications such as VPN Systems, Outlook Web Access, Active Directory Federation Services, Windows/Linux ...mPass administration Portal
Introduction The mPass authentication server is an OATH compliant comprehensive solution for enabling multi-factor authentication for enterprise applications such as VPN Systems, Outlook Web Access, Active Directory Federation Services, Windows/Linux ...mPass MFA Install Windows Agent
Introduction The mPass authentication server is an OATH compliant comprehensive solution for enabling multi-factor authentication for enterprise applications such as VPN Systems, Outlook Web Access, Active Directory Federation Services, Windows/Linux ...mPass MFA Mobile Number Verification
Introduction mPass is an OATH compliant comprehensive solution for enabling Multi Factor authentication for enterprise applications. mPass provides HTTP based web services for enterprise applications to verify mobile numbers of their users by means ...