Multi-factor authentication for Mendix (MFA/2FA)
Content Type: Module
Categories: Authentication
Overview
The musthave multi-factor(MFA) / twofactor(2FA) authentication module that uses the Mendix core login/authentication capabilities together with an additional layer of security. It creates a usersession after user+password AND an additional code is validated. It supports all the common ways to create/validating codes like SMS, e-mail and (Google) Authenticator app.
- 06-09-2023: Added support for Datadog CloudSIEM
To support the feature of using Datadog's CloudSIEM there is a new constant introduced to enable this. When enabled it will produce INFO logmessages that are detected by Datadog's CloudSIEM if you have Datadog configured for your environment.
Please take a look at the documentation: https://docs.mendix.com/developerportal/operate/datadog-metrics/ and https://www.datadoghq.com/blog/how-to-monitor-authentication-logs/#log-using-a-standard-parsable-format
Example is
evt.category="authentication" evt.name="MFA code created" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"
evt.category="authentication" evt.name="user login with MFA" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"
evt.category="authentication" evt.name="MFA validated" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"
evt.category="authentication" evt.name="unknown user" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="Henk"
evt.category="authentication" evt.name="invalid password" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="MFA enabled but no session found" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="Max MFA attempts exceeded" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
- 29-12-2022: Please upgrade to version 2.0 (Mendix 9 compatible, see improvements in release notes)
- 24-12-2021: Please upgrade to version 1.5 (Vulnerability fix, rate limit and documentation)
Documentation
See documentation on https://github.com/appronto/multifactor-authentication
Releases
Version: 3.0.0
Framework Version: 9.18.4
Release Notes: To support the feature of using Datadog's CloudSIEM there is a new constant introduced to enable this. When enabled it will produce INFO logmessages that are detected by Datadog's CloudSIEM if you have Datadog configured for your environment.
Please take a look at the documentation: https://docs.mendix.com/developerportal/operate/datadog-metrics/ and https://www.datadoghq.com/blog/how-to-monitor-authentication-logs/#log-using-a-standard-parsable-format
Example is
```
evt.category="authentication" evt.name="MFA code created" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"
evt.category="authentication" evt.name="user login with MFA" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"
evt.category="authentication" evt.name="MFA validated" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"
evt.category="authentication" evt.name="unknown user" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="Henk"
evt.category="authentication" evt.name="invalid password" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="MFA enabled but no session found" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="Max MFA attempts exceeded" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
```
Version: 2.1.0
Framework Version: 8.18.8
Release Notes: To support the feature of using Datadog's CloudSIEM there is a new constant introduced to enable this. When enabled it will produce INFO logmessages that are detected by Datadog's CloudSIEM if you have Datadog configured for your environment.
Please take a look at the documentation: https://docs.mendix.com/developerportal/operate/datadog-metrics/ and https://www.datadoghq.com/blog/how-to-monitor-authentication-logs/#log-using-a-standard-parsable-format
Example is
```
evt.category="authentication" evt.name="MFA code created" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"
evt.category="authentication" evt.name="user login with MFA" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"
evt.category="authentication" evt.name="MFA validated" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"
evt.category="authentication" evt.name="unknown user" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="Henk"
evt.category="authentication" evt.name="invalid password" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="MFA enabled but no session found" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
evt.category="authentication" evt.name="Max MFA attempts exceeded" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"
```
Version: 2.0.0
Framework Version: 8.18.8
Release Notes: After reviewing and feedback we released 2.0 of the module. Please upgrade to this version!
* When your mark this module as your favorite marketplace content you will receive notifications about new releases.
Breaking change:
- We removed the capability to use MFA from login.html (too complex)
Configuration:
- Remove MFA directory from your resources directory
Improvements:
- For MFA users: Max login attempts and Max MFA attempts can be configured with constants (default is 3)
- For non-MFA user after the default platform attempts of 3 the user will be blocked according to the Mendix platform default and is released after 5 minutes (but read https://docs.mendix.com/refguide/login-behavior)
- Improved logging message when user is blocked (so it's in line with unblocks by the Core runtime)
- Reduced lines of java code
- Added unit tests (if you experience issues, please check if you can create a unit test for the case)
- Removed a HTML snippet and replaced this with a nanoflow + Javascript action
- Create code flow is more fail proof if the custom implementation of creating code was not correct, the flow remains secure (by always setting a random code)
- This Mendix 8.18.8 version of the module is Mendix 9 compatible (BlockSince attribute on User entity fix for Mendix 9 included!)
Version: 1.5.0
Framework Version: 8.18.8
Release Notes: - Added check on MFA code by the user (thanks Dirk of S-Unit for reporting after pentests!)
- Added rate limit on attempts for MFA codes. Will block after user after 3 times (just like normal login attempts)
- Custom info and error messages are now possible
- Small documentation fixes