Enabling Multi-factor Authentication
API Portal provides multi-factor authentication (MFA) that requires the use of two or more authentication factors to verify a user's identity for a login. Authentication factors can be classified into knowledge factors (what the user knows, for example, password), possession factors (what the user has, for example, security token) and inherence factors (what the user is, for example, biometric verification). The authentication mechanism validates each factor thus adding another layer of security during a user log on.
API Portal uses a combination of username, password, and a one-time password (OTP) as authentication factors to verify the user's identity. The user receives the OTP in one of the following ways:
Through an email: a user can request a new OTP which is sent to the user through email.
As a secret token in an email: a user can use the secret token and generate an OTP using an external client, such as Google Authenticator.
You can enable this feature in the API Portal user management console.
Any user when on-boarded onto API Portal receives a secret token through an email, when MFA is enabled. The user can use this secret token to generate an OTP, using an external client like Google Authenticator, which in turn is used to log onto API Portal.
To enable multi-factor authentication
1. Log on to UMC as an Administrator.
2. Click Configuration.
3. Click Security > Multi-factor authentication in the left navigation pane.
4. Click . 5. Select Use multi-factor authentication to enable it.
Alternatively, you can also set the configuration property com.aris.umc.authentication.multiFactor.active as true under Configuration > All section. You can provide a value for Clock skew intervals or use the configuration property com.aris.umc.authentication.multiFactor.clockSkew to set the interval for which the generated OTP is valid. Each interval is 30s.
Note:
When you enable MFA and if you want few users to be excluded from MFA, you can add the multiple users separated with comma, under the Excluded users. By default all the system users are included in this list.
6. To generate and send out a secret token to users who were onboard before enabling multi-factor authentication, do the following:
a. Click Configuration.
b. Click All in the left navigation pane.
c. Ensure that the property com.aris.umc.notification.otpSecretChanged.enabled is set to true.
d. Click User management in the title navigation bar.
e. Click the required user.
f. Click Generate token secret.
A new token is generated and sent to the respective user.
Note:
The user receives a mail with the token secret which can be used to generate an OTP to log on to API Portal.
These steps must be performed for every user who was onboarded before MFA was enabled.