Authentication chains: Use cases and examples
This section outlines use cases for authentication chains and examples of how to configure them. Broadly, use case scenarios fit into two categories, single-factor and multi-factor authentication.
Best practice
PINs sent via SMS and usage of security questions are not recommended authentication methods as they are less secure methods.
Twilio-based SMS PIN delivery for authentication is also nearing end of life, see here for more information: https://www.twilio.com/en-us/changelog/notify-api-end-of-life-extension-notice .
It is instead recommended to use two-factor authentication such as with Bravura OneAuth authentication. See Add Bravura OneAuth authentication to Bravura Security Fabric for more information.
Usage of PINs sent via email is also an option as part of the authentication process as an alternative for SMS PINs.
Single-factor authentication
Single-factor authentication (SFA) is a process that requires a single method of authentication to verify a user’s identity. Bravura Security Fabric provides a number of built-in and scenario based authentication chains that implement an SFA authentication process. Examples include:
Password based authentication against an external source (one of the integrated target systems)
Security questions based authentication (where security questions and answers are stored externally or within the product)
One-time passwords such as PINs sent to a device or location that requires a separate authentication process
Token or smart card based authentication
Caution
An improper configuration of the DEFAULT_LOGIN or HELPDESK_LOGIN authentication chains can render your Bravura Security Fabric instance inaccessible. Bravura Security recommends using the authcfg program to export authentication chain settings before modifying the default configuration.
The following describe some SFA use cases typically implemented as part of Bravura Security Fabric deployments.
Multi-factor authentication
Multi-factor authentication (MFA) is a process that requires more than one method of authentication from independent categories of credentials to verify a user’s identity. Bravura Security Fabric fully supports the configuration of MFA as part of its authentication process.
Deployments of Bravura Security Fabric that require enhanced authentication security typically implement a 2FA (two-factor authentication - subset of MFA) process by combining two authentication factors in subsequent steps. The two factors include something you know (such as a password or answers to security questions) and something you own (such as a mobile phone or token).
Using built-in functionality, the first step of authenticating a user can be configured to require validation using one of:
Password
Security questions (Not recommended for use in a Bravura Privilege implementation.)
As part of a second authentication step, the user then requires validation using one of:
Email (PIN sent to email address)
Phone (PIN sent via SMS)
Mobile app (by scanning a QR code displayed on the product’s login page)
Third-party token (a PIN that must be provided on the product’s login page)
Browser fingerprinting can be used to remember a previous authentication. When a user attempts to authenticate again, the fingerprint can allow the user to skip the first step.
Bravura Security Fabric ships with a number of built-in modules and scenario components which implement 2FA for users.