Two Factor Authentication

This text is an announcement of a recent performance.
It’s not helpful to use the content material of this text to grasp the brand new performance.
It might offer a complete description of the brand new performance within the documentation for the corresponding model.
An entire listing of adjustments within the new model is offered within the v8Update.htm file.

They were carried out in model

We’ve applied a mechanism by which you’ll be able to carry out two-factor authentication of Infobase customers. It means that you can find immediate the person for 2 several types of credentials. This supplies more practical safety in opposition to unauthorized entry into the knowledge base.


Concerning the 1C: Enterprise system, authentication is a process for checking the login and password entered by the person for correctness. The platform can carry out this operation by itself. It may use the authentication outcomes carried out by one other valuable resource that it trusts (working system or OpenID authentication). In any case, both here and there, the person chooses some login and enters a password. If the login and password are appropriate, the platform considers that the person is recognized and supplies him with entry to the information.

This acquainted paradigm (login/password) is easy and handy. Nevertheless, it has one conceptual flaw. It should remember the password; for this, it should be quick and easy. However, these passwords are straightforward to crack. It should be lengthy and sophisticated for a password to be tough to break. However, these passwords will not be specific to recollect. Because of this, in actuality, all of it comes down to the truth that individuals use easy passwords, and in other places, the identical.

Two-factor authentication is a technique that enables it to make it somewhat more challenging for attackers to enter different individuals’ knowledge. Then again, it’s a resolution that means that you can get a degree out of the shortcomings of basic password safety to some extent.

Two-factor authentication requires a person to have two or three doable forms of authentication credentials:

  • One thing he is aware of, what he remembers (for instance, username/password),
  • One thing he owns (like a mobile phone)
  • One thing is inherent in it (for example, a fingerprint).

The means of two-factor authentication is that to get someplace, and the person should double-confirm the truth that he’s him, and in numerous methods. For instance, please enter a username/password (first issue), after which enter the code despatched to his cell phone (second issue).

The 1C checks the primary authentication issue: Enterprise platform, and to work with the second authentication issue, and some third-party service is used, which we’ll name a supplier.

Second Issue Authentication Supplier

A supplier is an internet service with some form of interface consisting of HTTP requests. This may be, for instance, a 1C: Enterprise database during which you’ve got applied a set of HTTP providers that permit you to ship messages or carry out authentication. It may be a third-party service that sends messages by way of SMS or e-mail, it may be a service that generates codes for the second issue of authentication or service that interacts with the person via its cellular software, and so forth. The one necessary factor is accessing the supplier through HTTP requests.

Authentication scripts

To make the additional story clearer, let’s directly contemplate two authentication eventualities, which the brand new mechanism permits implementation.

So, customary 1C: Enterprise authentication (first issue) seems to be like this:

  1. The person launches a consumer software. It asks him for the primary issue of authentication – logs in and password. The person enters them, and the consumer software sends them to the server.
  2. The server checks the login and password for correctness. If appropriate, the server checks to see if it must use the second authentication issue for this person.

If the second issue doesn’t should be used, then the person is taken into account recognized and might start work. An acquainted authentication situation exists on the platform as we speak.

But when for this person, it’s essential to make use of the second issue, then add two new eventualities for utilizing the second authentication issue are doable.

Easy supplier

  1. The server informs the consumer software that the person should enter a second authentication issue.
  2. The consumer software exhibits the person an extra authentication window, for instance:
  3. The server generates a second issue code (94573) and sends an HTTP request to the supplier. This request comprises a message that the supplier should ship to the person, for instance, “Your authentication code is 94573. Don’t share it with anybody.”
  4. The supplier sends this message to the person, for instance, to a cell phone.
  5. The person reads the code despatched by SMS.
  6. The person enters this code into the extra authentication window (clause 2)
  7. The server checks the code for correctness. Whether it is appropriate, the person is recognized and might begin work.

We can utilize this situation for “easy” suppliers of the second issue, which may solely ship a set message to the person (for instance, SMS to a telephone quantity). In this situation, the platform (server) itself generates the code of the second issue and utterly types the message that the supplier should convey to the person. The supplier solely sends a letter to the person, and the platform waits for the person to enter the second issue code within the further authentication window.

Sensible supplier

  1. The server informs the consumer software that the person must authenticate the second issue on the supplier aspect.
  2. The consumer software exhibits the person an extra authentication window, for instance:
  3. The server sends an HTTP request to the supplier to independently authenticate the person.
  4. The supplier begins the authentication process; for instance, it asks the person for a fingerprint utilizing cellular software.
  5. The person places his finger on the scanner.
  6. The person clicks OK within the further authentication window (merchandise 2), informing the platform that he has carried out additional authentication.
  7. The server asks the supplier for the authentication outcomes.
  8. The supplier informs the server in regards to the authentication consequence. Whether it is profitable, the person is recognized and might begin work.

It can utilize this situation for sensible second issue suppliers. For such suppliers, for instance, generate the necessary code themselves, the message, they know how to inform the person and confirm his knowledge. It’s assumed that such a supplier has prematurely details about the person he wants (for instance, from the developer or administrator of the applying resolution). The supplier independently performs the authentication of the second issue, and the platform waits for a sign from the person to ask the supplier for the results of this authentication.

Customers and suppliers

Which supplier and the way to authenticate the second issue is set for every person individually.

To explain the HTTP requests that must be despatched to the supplier, we’ve applied a brand new kind within the embedded language – TemplateSecondFactorSettingsAuthentication… Objects of this sort are named objects which you could retail within the database. Every such template means that you can save two HTTP requests directly: one for requesting authentication the opposite for getting its consequence. Each of those requests is described utilizing acquainted objects HTTP Request, however, have two fascinating options:

  • First, you may specify an HTTP methodology as a string for every one of them. It’s because the HTTP specification permits its verbs (strategies).
  • Secondly, a number of the fields in these queries will be “parameterized” utilizing “&” (for instance, &sms_phone_number). This is because of the truth that for various customers, the requests might be mainly identical, and the one distinction might be within the values ​​of some fields that rely upon a selected person (for instance, the telephone quantity to which SMS should be despatched).

For instance, you may create a template for an easy supplier sending SMS by specifying just one request – an authentication request. It might use two parameters on this request-host (supplier’s deal with) and secret (the code of the second issue that can type the platform):

The sensible supplier template will already comprise two requests (a request to authenticate and a request for authentication outcomes):

After you’ve saved several suppliers’ templates, you may assign every person a particular template and a set of values ​​for the parameters that must be substituted into this template.

For instance, for a person who will use an “easy” supplier, you may write a single parameter – the deal with to which the HTTP request might be despatched (host):

And for a person who will use a “sensible” supplier, it might want extra parameters:

Please note that it will assign not one “set” of settings but several (array). Property ProcessingSecondFactorSettings means that you can apply them one after the other if the execution of the present HTTP request ended with an error. For instance, the supplier doesn’t work, then you may strive for one other supplier that may carry out comparable actions (a distinct set of settings).

Registration log

We’ve added unique occasions to the log and new fields for all new authentication eventualities for some previous experiences. Due to this fact, you can manage not solely the authentication processes themselves but the actions related to them: altering the templates of the second issue of authentication and changing person settings associated with two-factor authentication.


Related Articles

Latest Articles