I want to start talking about Swivel, Swivel is a provider of authentication solutions who have been awarded years ago with the SC Magazine Europe Award for the best multifactor authentication solution.
Within the authentication products are: OneTouch PUSH, SMS, Token, PINpad, TURing and PINsafe. In this publication, we will use TURing though if only by changing some parameters we could use PINsafe by sending an SMS for example.
How does TURing work?
First, each user who will use this option will be previously assigned a pin, which is a 4-digit code, which the user must remember – just like the key of our debit card -. This task is performed by the Swivel server administrator.
The web application to do the double authentication (2FA) of the user requires an OTC – One Time Code, which will request the user to enter. If you don’t know what it is OTC, I invite you to read my previous publication “Authentication of 2 factors with Scriptcase“.
In order to determine which is the OTC that the user must enter, at the time of authentication and after making the connection to the Swivel server, a 10-digit code is sent to the user’s browser using a rectangular image, then the user takes the numbers represented by your PIN in that image – the pin previously assigned by Swivel’s administrator -. That is, if the PIN is 5273, then you simply write the number in the image in the 5th position, then the number in the 2nd position, then the number in the 7th position and finally the number in the 3rd position , all this based on the image that the server has sent.
TURing example. Based on the example described above, the OTC would be 3507
It should be noted that obviously the images generated by the server are dynamic, different each time an OTC is requested.
Another topic to consider, and I mentioned in the previous publication, is that each provider indicates how it should be integrated and in many cases places resources in different programming languages at the disposal of the developer. Well in the case of Swivel, I had examples in PHP, which I downloaded and I started to understand how it worked and then make the adaptation in Scriptcase. I recommend you that always try the demos or examples of suppliers separately, making sure they work well before going to Scriptcase to implement it, this can avoid big headaches!
In summary, the first thing that I did was to understand the operation of the example and I adapted it to my needs by creating a php library, which I would use in Scriptcase through 2 blank applications, I decided that they would be 2 different applications because of the way that TURing works. An application called Token, which is called after the validation of the Login and Normal Password (first factor) and that manages the connection configuration to the server, as well as its graphical interface of request of the second factor and finally, the validation of the code entered by the user. The second application could be considered as a procedure which is explicitly responsible for displaying the image generated by the server through a URL in the template of application 1.
Maybe the previous explanation can be somewhat confusing, for that reason I made the following video where I explain in more detail, the way in which the implementation was made.
It is clear that there are different ways to implement it, but the objective of this publication is to show you which is one of them and that can serve as an example in your projects.
In my next post I will talk about how to Implement A2F using Own Development in NodeJS