Multi-factor Authentication For Mendix (MFA/2FA)

Content Type: Module

Categories: Authentication

Overview

The musthave multi-factor(MFA) / twofactor(2FA) authentication module that uses the Mendix core login/authentication capabilities together with an additional layer of security. It creates a usersession after user+password AND an additional code is validated. It supports all the common ways to create/validating codes like SMS, e-mail and (Google) Authenticator app.

- 08-01-2025: Security fix + UI improvements

- 06-09-2023: Added support for Datadog CloudSIEM

To support the feature of using Datadog's CloudSIEM there is a new constant introduced to enable this. When enabled it will produce INFO logmessages that are detected by Datadog's CloudSIEM if you have Datadog configured for your environment.

Please take a look at the documentation: https://docs.mendix.com/developerportal/operate/datadog-metrics/ and https://www.datadoghq.com/blog/how-to-monitor-authentication-logs/#log-using-a-standard-parsable-format

Example is

evt.category="authentication" evt.name="MFA code created" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"

evt.category="authentication" evt.name="user login with MFA" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"

evt.category="authentication" evt.name="MFA validated" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"

evt.category="authentication" evt.name="unknown user" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="Henk"

evt.category="authentication" evt.name="invalid password" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"

evt.category="authentication" evt.name="MFA enabled but no session found" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"

evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"

evt.category="authentication" evt.name="Max MFA attempts exceeded" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"

- 29-12-2022: Please upgrade to version 2.0 (Mendix 9 compatible, see improvements in release notes)

- 24-12-2021: Please upgrade to version 1.5 (Vulnerability fix, rate limit and documentation)

Documentation

See documentation on https://github.com/appronto/multifactor-authentication

Releases

Version: 3.1.1

Framework Version: 9.18.6

Release Notes: Patch: HTML widget not included in the package See 3.1 release notes for information

Version: 3.1.0

Framework Version: 9.18.6

Release Notes: - Security fix for After startup: Access rights removed (Thanks Dirk / S-Unit) - UI improvements for the login page Upgrade note: check out the changed microflows for your implementation (SUB_MFA_CreateCode, SUB_MFA_UserDisabledCheck, and SUB_MFA_ValidateCode). Otherwise, you will get errors when overwriting the module at startup.

Version: 3.0.0

Framework Version: 9.18.4

Release Notes: To support the feature of using Datadog's CloudSIEM there is a new constant introduced to enable this. When enabled it will produce INFO logmessages that are detected by Datadog's CloudSIEM if you have Datadog configured for your environment. Please take a look at the documentation: https://docs.mendix.com/developerportal/operate/datadog-metrics/ and https://www.datadoghq.com/blog/how-to-monitor-authentication-logs/#log-using-a-standard-parsable-format Example is ``` evt.category="authentication" evt.name="MFA code created" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin" evt.category="authentication" evt.name="user login with MFA" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin" evt.category="authentication" evt.name="MFA validated" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin" evt.category="authentication" evt.name="unknown user" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="Henk" evt.category="authentication" evt.name="invalid password" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user" evt.category="authentication" evt.name="MFA enabled but no session found" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user" evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user" evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user" evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user" evt.category="authentication" evt.name="Max MFA attempts exceeded" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user" ```

Version: 2.1.0

Framework Version: 8.18.8

Version: 2.0.0

Framework Version: 8.18.8

Release Notes: After reviewing and feedback we released 2.0 of the module. Please upgrade to this version! * When your mark this module as your favorite marketplace content you will receive notifications about new releases. Breaking change: - We removed the capability to use MFA from login.html (too complex) Configuration: - Remove MFA directory from your resources directory Improvements: - For MFA users: Max login attempts and Max MFA attempts can be configured with constants (default is 3) - For non-MFA user after the default platform attempts of 3 the user will be blocked according to the Mendix platform default and is released after 5 minutes (but read https://docs.mendix.com/refguide/login-behavior) - Improved logging message when user is blocked (so it's in line with unblocks by the Core runtime) - Reduced lines of java code - Added unit tests (if you experience issues, please check if you can create a unit test for the case) - Removed a HTML snippet and replaced this with a nanoflow + Javascript action - Create code flow is more fail proof if the custom implementation of creating code was not correct, the flow remains secure (by always setting a random code) - This Mendix 8.18.8 version of the module is Mendix 9 compatible (BlockSince attribute on User entity fix for Mendix 9 included!)

Version: 1.5.0

Framework Version: 8.18.8

Release Notes: - Added check on MFA code by the user (thanks Dirk of S-Unit for reporting after pentests!) - Added rate limit on attempts for MFA codes. Will block after user after 3 times (just like normal login attempts) - Custom info and error messages are now possible - Small documentation fixes