Predix_Logo
  • Categories
    • Questions
    • Predix | Updates
      • Pricing
      • Product
    • Deloitte - Private
    • How-To
    • Accenture-Private
  • Explore
    • Topics
    • Questions
    • Articles
    • Feedback or Feature Requests
  • Sign in
  • Home /
  • How-To /
avatar image
  • Home /
  • How-To /

Multifactor Authentication (MFA) in UAA

  • Export to PDF
Bharath Sekar created · May 09, 2018 at 03:32 PM · edited · May 11, 2018 at 03:12 PM
1

UAA will now support stronger forms of authentication. This is meant to be used in conjunction with a primary mechanism like password authentication. Currently, UAA supports TOTP based secondary authenticators like Google authenticator. Several mobile apps are available which allow you to generate verification codes. Typically, any app supporting Time-based One-Time Password (TOTP) protocol will work. UAA has been tested to work with Google Authenticator.

Setup MFA

Create an MFA provider

MFA providers are scoped to an IdentityZone in UAA. The first step to setting up MFA for a UAA Zone is to create an MFA provider in that zone. UAA will have the capability to onboard several secondary authenticators like YubiKey, RSA SecureID, Google Authenticator, Duo Security. Currently, only Google authenticator will be recognized. To create one of this type, please use

API to Create an MFA provider.

This is typically a one time operation, although the same provider can be updated or more providers of different types can be added per zone, when UAA starts supporting the same.

Enable/Disable MFA provider in a UAA zone

MFA providers are enabled/disabled at the zone level.

  • Enabling MFA is done by setting mfaConfig property in the IdentityZone configuration. Update Identity Zone config. Please note that the providerName is the unique name of the provider used at the time of creation. When enabled, all the users in the given zone will have to go through password + google authenticator to successfully authenticate with UAA.

  • To disable MFA for a given zone, the zone admin only needs to update the IdentiyZone configuration by setting mfaConfig property to false.

The MFA provider created earlier need not be modified/deleted.

MFA authentication flow for users

When authenticating with UAA, the user will provide their primary authentication (password) like before. Then, they will be redirected to the MFA registration (first time) or code page.

First time user

To start using Google Authenticator, every user will have to register their phone application with their UAA account. This is typically done by scanning a QR code that is shown to them.

alt text

Provide one time code using Google authenticator

Once the user has registered their application with their UAA account, they can now use the generated code to complete the second step of their authentication.

alt text

Delete MFA registration for a given user

Like we've seen above, the MFA registration for a user is tied with the google authenticator app that was used during setup. If the user uninstalls the app or changes to a new phone for example, the UAA account needs to be registered again with the new authenticator application. To do this, an admin can delete the mfa credentials for this user using Delete MFA registration API. The user then goes through first time user step as above. In the future, user will be able to do this as a self-service by using something a recovery code. Deleting an MFA provider will delete MFA registration for all the users for that provider.

thub.nodes.view.add-new-comment
uaasecurityauthentication
screen-shot-2018-05-09-at-95308-am.png (227.2 kB)
screen-shot-2018-05-09-at-32720-pm.png (105.2 kB)
Add comment
10 |1200 characters needed characters left characters exceeded
▼
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster
  • Advanced visibility
Viewable by all users

Article

Contributors

avatar image
Unfollow

Follow this article

112 People are following this .

avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image avatar image

Navigation

Multifactor Authentication (MFA) in UAA

Related Articles

* How-To: Add redirect_uri to your UAA client

How-To: Secure/Protect your REST API Spring-Boot Microservice using UAA or Shared-UAA

How-To: Use GE Staging and Testing SSOs with Predix UAA

UAA introspection api's now available.

How-To: Manage resources by space in your enterprise Predix Org

How-To: Create a User Account and Authentication (UAA) Service Instance in Your Space

How to: Install UAAC on Windows

Using Predix with Qt

Is there a way to fetch the UAA token from Spring boot application hosted locally

GE Monogram
  • Legal
  • Cookies
  • Forum Terms
  • Contact Us
  • Copyright © 2017 General Electric Company. All rights reserved.


Enterprise
Social Q&A

  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Create an article
  • Submit your feedback or feature request
  • Categories
  • Questions
  • Predix | Updates
    • Pricing
    • Product
  • Deloitte - Private
  • How-To
  • Accenture-Private
  • Explore
  • Topics
  • Questions
  • Articles
  • Feedback or Feature Requests