The Mifos X platform is a cloud-based core banking system for delivering financial services to the poor. We provide a web and mobile interface, our AngularJS Community App and Android Field Officer App for the staff of a financial institution to manage their portfolio and service their clients. The security of their client’s financial data is paramount so we would like to add 2FA as another additional layer of security to the platform when staff are logging in via these apps. The most commons means of accessing Mifos X is via the Community App but we have a need for 2FA for the Android client as well.
The generation and sending of the verification code/one-time password will primarily be via SMS and/or email since that is the most user-friendly and most accessible given the equipment available to staff using Mifos X. However, we should aim to support configurability of other authentication methods via an app or virtual authentication device to generate the verification codes.
Project Tasks
The specific tasks for the project are to:
Stabilize the existing SMS integration in Mifos X
In order for 2FA to work, the organization must have an SMS gateway or Email Service configured
We provide a SMS bridge which integrates out of the box with the Twilio SMS gateway. We would like to improve the process for configuring your SMS gateway by making it more configurable via the UI by simply inputting details of your SMS Gateway.
Generate and store Verification Code/One-Time-Password (OTP) at Mifos
This would be done using a java random number generator
This would be stored in-memory and not on disk.
Verification of OTP by Mifos X System
Authentication process of Mifos X must be extended to support the verification and storage of an OTP.
Sending of OTP via SMS and/or Email
Log-in screen for Community App needs to have field and prompt added for 2FA when enabled.
Configuration of 2FA by System Administrator
Enabling of 2FA for the organization
See workflow below for more details.
The UI screens for configuring 2FA will need to be created and added under the System Admin Section
2FA can only be enabled if an SMS gateway or email service has been configured.
Input of the OTP
See workflow below for more details.
Login screen on both the community app and Android client need to be updated to trigger the sending of the OTP and the entry of the OTP
OTP Verification and Expiration
Configurability of Length of OTP
Default should be six digits
Configurability of Validity Period of OTP: How long the OTP will stay valid before it expires must be developed
Default of 5 minutes (300 seconds)
Configurability of Length of Remember Me Period: We will we allow an option for recognized devices to be remembered (not requiring 2FA if for a defined period of time)
Default of 15 days
Workflow
System Administrator
This is the workflow for enabling Two-Factor Authentication from the perspective of a System Administrator at the financial institution.
Enable Two-Factor Authentication
System administrator navigations to Administration >> System >> Two Factor Authentication
Configuration Wizard
System administrator is prompted with a wizard-like interface to configure 2FA
It will first check if an SMS gateway or email service is configured, if not, it will directly display the screens to configure the email or SMS gateway right from the wizard.
Once the messaging service is configured, system administrator must specify the configuration settings for the generation of the OTP
# of characters
Validity Period for the OTP (# of minutes)
Specify length in # of minutes before a OTP expires and another needs to be regenerated.
Remember Me Period & its length
Should be able to enable/disable this functionality
Specify length in number of days
Configure Greeting Field
System administrator should have the ability configure a brief greeting (140 characters or less) greeting that accompanies the OTP.
Configuration of Users (optional)
We will only support 2FA being available to all users who will all be prompted to use 2FA once it’s enabled. There will be no configurability around certain users/roles that require 2FA. This will hopefully mitigate the need to manage a 2FA rollout process.
End User
This is the workflow from the perspective of an end user attempting to log in for the first time using Two-Factor Authentication.
User navigates to the Community App log-in screen from their web browser.
Should be prompted with a message stating that Two-Factor Authentication has been enabled, with a link to click to generate a one-time password.
Open Question - is this at the initial log-in screen (before logging in with existing credentials) or on a second page after they’ve logged in with their credentials
System prompts them with a message stating that a OTP will be sent to them via SMS or email and states which phone number or email address it is going to. User confirms this and clicks next.
User should receive the OTP via SMS or Email along with the configured greeting message
Validity period should be long enough such that they have time to for the SMS/email to be received and still input OTP.
User is prompted with screen to input OTP.
There should also be a check-box below to allow system to remember this device. If checked, user won’t be prompted to input OTP for whatever the length of the remember-me period is
General message about this should be a trusted, private device they use frequently should be provided.
The same should be replicated for a user logging into to the Android field operations app.
Skillsets Needed
Generation and Configuration of OTP
Java
Configuration of Authentication with Mifos X
Java, Spring, JAX-RS, JPA
User Interface Development for Web App
AngularJS, Javascript
User Interface Development for Android
Android