Our second article in this series is about Two Factor Authentication. Two Factor Authentication or Multi Factor Authentication (2FA or MFA) require the user to supply multiple forms of authentication something the user ‘knows’ and something the user is in possession of or something the user is.

For example an ATM withdrawal consists of the passcode (something the user knows) and the ATM cing the user possesses).ard (someth

In case of a login the simplest form of 2FA would be the password (something the user knows) and a code sent to the users email or phone (something the user possesses).

In a multi factor authentication other options come into play such as bio metrics (the users fingerprint, face id, voice id, etc).

We are going to look into adding simple two factor authentication to a DataFlex WebApp.

A standard DataFlex WebApp currently has a simple login screen that authenticates the user and creates an active session. The system then allows the user to use the application.

In order to support 2FA we will need to modify the login logic. In a 2FA system we will first validate the first part of the authentication which is the password.

Once validated we will need to create a random token and communicate that token to the user and the user will then need to enter that token to actually gain access to the application

First lets dive a bit deeper into how the login works in a DataFlex WebApp

The UserLogin method of the session handler validates the username and password combination and then updates a record in the WebAppSession table to reflect the login.

Our first step is to add a second screen for the confirmation of the Two Factor Authentication code.  This screen is very similar to the login screen.

We also need to create a code and send the code to the user. Because of the way web applications work we cannot simply store this in memory. The data in memory would not be available on the next call from the client

To handle the 2FA codes we will create a database table as follows

Name: WEBAPP2FA
Columns: SESSIONKEY ASCII 36, CREATEDDATE DATE, CREATEDTIME ASCII 8, CODE ASCII 20
Index 1: SESSIONKEY, CREATEDDATE, CREATEDTIME

now we also need a method to create and send the code. We will add the following method to the oWebApp object

The RequestSendTwoFactorAuthCode method creates a simple random code and then sends the code via email to the user.
The code to actually send the email is left out. Simply use whatever method you are using to send email. You can also send text messages or use any other method to send the code to the end user.
For testing purposes of course you can simply get the code from the database table as well.

We can now modify the DoLogin method in the login view to call this function and then show the TwoFactorAuthentication view.

The new login method works a bit different now. It first validates the login credentials.
Then instead of showing the default view we are sending a two factor authentication code to the user and redirect the user to the Two Factor Authentication validation page.

The user will now have to wait to receive the Two Factor Authentication code to enter it and proceed with the login.

But … here is a problem. If we enter the credentials and then when the Two Factor Authentication page loads we will simply go back to the apps main url DataFlex WebApp thinks we are logged in already and simply skip the Two Factor Authentication.

That is obviously not what we want. We need to teach DataFlex WebApp about the different statuses of a session

  • Session Login Validated but Two Factor Authentication missing
  • Session Login Validated and Two Factor Authentication validated

to handle this we will add a field to the WebAppSession table. The fields name is MFASTATUS and it is a single character ASCII field

After a successful login and sending of the Two Factor Authentication key we will set the value of this field to ‘W’ for Waiting Authentication.

Once the user authenticates with the Two Factor Authentication code we will clear the value in this field. This will then allow us to prevent the user from skipping the Two Factor Authentication

The design of the login code in DataFlex WebApp is not very developer friendly and doesnt provide hooks in areas were they would allow us to add functionality like this.

Because of this we have to add the following code to the SessionManager object in the WebApplication which is a copy of DAWs original login code plus the additional code to initialize the database fields for Two Factor Authentication

the code above will handle the login and if successful set the WebAppSessions MFASTATUS field to ‘W’.

We will also need to modify the LoadWebApp method to ensure it will send the user to the Two Factor Authentication page when needed.

In the Two Factor Authentication view we will allow the user to type in a code and then verify it against our database

Our DoConfirmCode procedure, called from the buttons OnClick event does just that. First we find the last 2FA code in our database. If we  cannot find an entry we bail out with an error message.

If we can find an entry we validate the code. At this time this code simply uses the last code sent to the user. A better implementation will use expiration time and also allow multiple active codes within the expiration and then also remove any entries that are expired to clean up the database.

This will now allow us to run the application which will bring up the login page. Once a login is successful the system will generate a Two Factor Authentication code and send the user to the validation screen. Once the proper code is entered the application will start as it should.

But there is another problem. If the user, after logging in successfully uses a direct url to navigate to one of the views of the application the system will allow him to do that without having to enter the 2FA code.

We can fix this by overriding the IsLoggedIn event in the session manager obect

This will now prevent a user from navigating to any page directly before the Two Factor authentication is complete

As mentioned already this is a base implementation and in a real world system would have a few more features such as expiration time on the 2FA code but the main part of this post is to show how to add functionality like this to an existing DataFlex WebApp .

The Two Factor Authentication can also be combined with the reCaptcha functionality. In a real world system we would use reCaptcha V3 to get a human/robot score. if the score points to certainly human we can simply proceed with the login. If the score is certain robot we can show an error screen or reroute to a page intended for a robot. All scores in between would be forced to use Tow Factor Authentication to log into the system.

Michael Salzlechner is the CEO of StarZen Technologies, Inc.

He was part of the Windows Team at Data Access Worldwide that created the DataFlex for Windows Product before joining StarZen Technologies. StarZen Technologies provides consulting services as well as custom Application development and third party products specifically for DataFlex developers