Two-factor authentication is used to increase information security level by adding one more step into user authorization check.
The first factor can be implemented by any available authentication type.
The second factor is realized by means of a certificate fingerprint saved in Foresight Analytics Platform.
To log in to the system, if the first-factor authentication was successful, the user is prompted to provide a certificate.
To enable two-factor authentication in the desktop application, it is enough to bind certificate to the user.
When a web application or a security server is used, determine additional settings of https connection using certificates.
For details about two-factor authentication setup, see the Example of Setting Up Two-Factor Authentication or Example of Setting Up Two-Factor Authentication on Linux section.
By default, two-factor authentication is used for the users with a bound certificate.
Two-factor authentication application is changed via the Strategy_check parameter located in the system registry in the branch:
[HKEY_LOCAL_MACHINE\Software\Foresight\Foresight Analytics Platform\9.0\Manager\Certificate]
NOTE. When security server is used, the path contains security server folder: ...\Foresightt\Foresight Analytics Platform Security Server\...
Create the Strategy_check string parameter that can take the values:
User. Default value. Two-factor authentication is used if the user has a bound certificate.
Always. Two-factor authentication is used for all users. The users who do not have a certificate are denied access.
Never. Two-factor authentication is not used even if the user has a bound certificate.
NOTE. This checkbox
can be set via the settings.xml configuration
file:
<Key Name="Manager">
<Certificate Strategy_check="always"/>
</Key>
To set two-factor authentication, set the necessary certificate individually for each user.
A certificate is bound to the user on the General Properties tab in user properties.
NOTE. Security certificate is a personal digital signature of the user. It is generated by means of special cryptographic tools, for example, OpenSSL.
If Foresight Analytics Platform is executed by means of configuration with the use of the web application (BI server) or security server, set up working via https protocol in the web server or authorization by client certificates.
Determine the following settings at the web server:
Add https binding.
Enable requesting of SSL and client certificates.
Set up root certificate and server certificate at the server.
The point of access to web service will also contain https protocol, for example, on using of IIS web server and security server:
https://<workstation>/fpSS_App_v9.2x64/axis2/services/PP.SOM.SomSec
NOTE. If the security server is used along with the web application (BI server), certificates are checked by BI server.
For details about certificate creation and necessary settings of web server, see the Example of Setting Up Two-Factor Authentication section.
See also:
Example of Setting Up Two-Factor Authentication | Example of Setting Up Two-Factor Authentication on Linux