Enhancing security and user experience with two-factor authentication in Magnolia

Your web presence is now one of your business’s most important assets. Flagship stores on world-famous streets cannot attract nearly as many visitors as your website. Plus, if you offer content across multiple channels, your online presence may overlap with every other touchpoint. Therefore, it's crucially important to ensure the data you offer up is as secure as can be. Let’s discuss how we at Magnolia approach that challenge.

To establish security, Magnolia has long offered integration with external user management tools. Magnolia’s LDAP Connector was first released in 2007 and the modern SSO module, for integration with Open ID Connect systems, has been fully supported in production since 2020.

These dedicated systems offer great security and tools for managing users across an entire organization. Sometimes, however, they are not in place or not made available for Magnolia to connect to and changing this is outside the scope of a DXP-specific project.

This does not mean that content security should suffer, so Magnolia offers an integrated user management solution, providing login via passwords alongside many dedicated security systems for more stringent security requirements.

Now we are pleased to offer two-factor authentication integrated into Magnolia.

Multi-factor authentication depends on asking a user for multiple pieces of information. Requiring users to pass multiple methods of authentication makes it harder for a malicious actor to impersonate a user - it is not enough to simply uncover a password. Typically, these methods of authentication are a combination of the following:

The first, something the user knows, is the best known. Usually, it’s a simple password. Sometimes users may need to answer additional questions about parents’ names and childhood pets. However, these are still examples of passwords.

“Something the user is” covers biometric data like fingerprint scanners and facial recognition. This can require dedicated hardware, making it difficult to support those security measures across the web.

The last one, “something the user owns,” often involves some form of physical token or token generator. Physical tokens such as swipe cards are not well-suited for the public web, as they require card-reading hardware on the client side and physical token generators can be expensive to issue, making them chiefly the preserve of banks.

The rise of the smartphone, however, has made software token generation close to universally available with numerous apps to generate time-sensitive tokens from a secret seed, including open products and offerings from Google, Microsoft, and Twilio.

Magnolia’s two-factor authentication makes use of software token generation and the Time-based one-time password protocol (TOTP). TOTP has been adopted by the Internet Engineering Task Force (IEFT) and is well documented as RFC 6238. The module works as follows.

Installed as a standard Magnolia module, the two-factor authentication module adds a new action to the Magnolia security app and replaces the Magnolia Admincentral login form. It requires access to a mail server via the Magnolia Mail module, but no other external services are used; everything is self-contained.

Once installed, an administrator can use the Security app’s new “Generate security token” to enable two-factor authentication for each user. Magnolia generates a new, randomized private key for that user and stores it in the Java Content Repository (JCR). At the same time, the key is encoded inside a QR code and emailed directly to the user with instructions to scan it in a suitable app.

Administrators can change the email template to provide details of approved apps and links to download them.

Once the user has scanned the code into an app, the app will employ it to generate a six-digit code based on the original key it was sent and the current time. The code is valid for 30 seconds and then expires. This prevents the re-use of old codes and minimizes the window where it’s feasible for an attacker to obtain a code and use it to start a session.

Once users have been issued keys, a simple light development change activates the new login form. This features three fields instead of two and expects the user to enter the code their key-generating app is currently displaying.

Upon entering their code, Magnolia authenticates the user. As well as checking the provided password against the username, Magnolia retrieves the key the user was issued with and generates the same six digit code for the current time to compare against the code the user provided. These are compared like the passwords and when everything lines up, the user can access the system.

To account for distributed workforces and remote work setups, the system offers a slight tolerance toward clock differences between devices, network latency, and user actions. This minimizes failed login attempts and removes the need for the user to wait and re-attempt.

Once users have been issued a code and the new login screen is enabled, multi-factor authentication is in place and required for every login.

If a user’s password is compromised, logging in is no longer possible without the device that carries the token. If the device is obtained, it’s useless on its own without the user’s Magnolia password. This proactive approach to security helps safeguard your organization's sensitive data and digital assets from potential security threats.

By implementing Magnolia’s two-factor authentication module, you can significantly enhance the security of your entire online presence while providing a seamless and intuitive user experience for administrators and end users alike.

Ready to see Magnolia’s two-factor authentication and other features in action? Book a demo today and discover how you can enhance your security and user experience.