We are building a SaaS platform where some of the clients have different needs for login and security. Is it possible to enable two-factor authentication where users have to log in using a password for their Appfarm user and for example a code sent by SMS, email, or an app like Authenticator?
And would it be possible to enable only this 2FA for a group of users?
Hi! In general, the built-in login page may not be differentiated per customer.
But, if you use a custom Login-app you may e.g use URL parameters to display different logos or login options. See the link to a custom login app found in this article.
If you enable third-party authentication/custom login, many of these providers offer two-factor authentication.
Appfarm login does not currently provide built-in two-factor auth, but you may create this by sending a unique code by email or SMS after login, and restricting further use of the app until a valid code is entered.
You mention “…and restricting further use of the app until a valid code is entered”, which seems like a decent hack to provide 2FA without too much hassle.
What do you suggest is best practice to “restrict further use”? Is there a way to easily restrict use of the whole app?
And by the way: will it actually be 2FA if you use e-mail for this? Couldn’t the user just reset password using e-mail and therefore only need e-mail access, i.e. one factor auth?
Considering switching to a third-party authentication provider to enable 2FA. However, if Appfarm has plans to enable 2FA in the near future, this would be unnecessary. Do you know if this is something you are planning to introduce?
Using the approach with SMS or email sent from the application is not 2FA. When the user is at this stage, the platform has already authenticated the user, and it will have a valid session that allows him or her to interact with any apps or endpoints allowed by the user’s roles.
It is possible to make it a part of the flow for allowing the usage of an application, but it must not be mistaken for a security feature. Any data the app uses must be considered available for the user.
Real 2FA will find its way into Appfarm in the future, but at this stage, we do not have any estimates for when this will happen. If you need advanced authentication features, using a third-party login provider like Auth0 or similar is recommended.
1 Like
I have read the responses here, but I am still struggling to understand.
-
We have one specific customer who wants to use Microsoft to log into the solution, with 2FA. Is it possible to remove other login methods for the users of this customer? If so, I assume we must make a custom log-in app - how could we remove other login methods for specifically these users?
-
For the aforementioned users - is it possible (in some custom way) to integrate a microsoft login method much the same way the “log in with google” method works? Like a SSO solution without the need for typing in email and password and synchronizing user information etc (but still with 2FA as the user would have used 2FA to log into Microsoft from before).
-
If (2) is not possible and we still want to use an external login provider, how should we synchronize the user information across appfarm and the external provider? Do we keep duplicates? If we go for this solution, we would like to use Microsoft Authenticator for 2FA for the aforementioned customer.
We have one specific customer who wants to use Microsoft to log into the solution, with 2FA. Is it possible to remove other login methods for the users of this customer? If so, I assume we must make a custom log-in app - how could we remove other login methods for specifically these users?
If you want to use the default login page provided by Appfarm this is not possible since we don’t know who a visitor is before he or she is logged in. To achieve what you want, you would need to create a separate landing page (someplace else or as a separate login app) and only show relevant info on that page.
It is possible to remove all login options altogether. You can create separate login pages (for example, a button on the customer’s intranet) for the separate external login provider configs. Activating the different login alternatives can be achieved by special links. These links are in the blue dots in the login-config where you configure third-party login providers.
For the aforementioned users - is it possible (in some custom way) to integrate a microsoft login method much the same way the “log in with google” method works? Like a SSO solution without the need for typing in email and password and synchronizing user information etc (but still with 2FA as the user would have used 2FA to log into Microsoft from before).
You can configure it to automatically create the Appfarm user on first time login.
Ok, thank you for a thorough answer. After giving it some thought, I think the best way to handle this is to avoid it all together, it sounds pretty complex. In other words, leaving 2FA for the customer to handle, by limiting login methods to only those where you log in with email (this way they can have their own guidelines for using 2FA with email).