Multi-factor Authentication For Mendix (MFA/2FA)

Content Type: Module

Categories: Authentication

Overview

The musthave multi-factor(MFA) / twofactor(2FA) authentication module that uses the Mendix core login/authentication capabilities together with an additional layer of security. It creates a usersession after user+password AND an additional code is validated. It supports all the common ways to create/validating codes like SMS, e-mail and (Google) Authenticator app.

- 8-7-2025: Made the module easy upgradable by configure your microflows instead of changing the marketplace module.

- 08-01-2025: Security fix + UI improvements

- 06-09-2023: Added support for Datadog CloudSIEM

To support the feature of using Datadog's CloudSIEM there is a new constant introduced to enable this. When enabled it will produce INFO logmessages that are detected by Datadog's CloudSIEM if you have Datadog configured for your environment.

Please take a look at the documentation: https://docs.mendix.com/developerportal/operate/datadog-metrics/ and https://www.datadoghq.com/blog/how-to-monitor-authentication-logs/#log-using-a-standard-parsable-format

Example is

evt.category="authentication" evt.name="MFA code created" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"

evt.category="authentication" evt.name="user login with MFA" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"

evt.category="authentication" evt.name="MFA validated" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin"

evt.category="authentication" evt.name="unknown user" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="Henk"

evt.category="authentication" evt.name="invalid password" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"

evt.category="authentication" evt.name="MFA enabled but no session found" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"

evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"

evt.category="authentication" evt.name="Max MFA attempts exceeded" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user"

- 29-12-2022: Please upgrade to version 2.0 (Mendix 9 compatible, see improvements in release notes)

- 24-12-2021: Please upgrade to version 1.5 (Vulnerability fix, rate limit and documentation)

Documentation

See documentation on https://github.com/Emixa-application-solutions/multifactor-authentication

Releases

Version: 4.0.0

Framework Version: 9.24.0

Release Notes: We redesigned the architecture of the module so you don't have to change microflows within the Marketplace module. You configure the required microflows in the after startup and they will be executed during the login procedure. Be sure to add the `ASU_SetMicroflows` and `ASU_v2` to your after startup

Version: 3.1.1

Framework Version: 9.18.6

Release Notes: Patch: HTML widget not included in the package See 3.1 release notes for information

Version: 3.1.0

Framework Version: 9.18.6

Release Notes: - Security fix for After startup: Access rights removed (Thanks Dirk / S-Unit) - UI improvements for the login page Upgrade note: check out the changed microflows for your implementation (SUB_MFA_CreateCode, SUB_MFA_UserDisabledCheck, and SUB_MFA_ValidateCode). Otherwise, you will get errors when overwriting the module at startup.

Version: 3.0.0

Framework Version: 9.18.4

Release Notes: To support the feature of using Datadog's CloudSIEM there is a new constant introduced to enable this. When enabled it will produce INFO logmessages that are detected by Datadog's CloudSIEM if you have Datadog configured for your environment. Please take a look at the documentation: https://docs.mendix.com/developerportal/operate/datadog-metrics/ and https://www.datadoghq.com/blog/how-to-monitor-authentication-logs/#log-using-a-standard-parsable-format Example is ``` evt.category="authentication" evt.name="MFA code created" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin" evt.category="authentication" evt.name="user login with MFA" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin" evt.category="authentication" evt.name="MFA validated" network.client.ip=127.0.0.1 evt.outcome="success" usr.name="MxAdmin" evt.category="authentication" evt.name="unknown user" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="Henk" evt.category="authentication" evt.name="invalid password" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user" evt.category="authentication" evt.name="MFA enabled but no session found" http.useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user" evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user" evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user" evt.category="authentication" evt.name="Invalid MFA entered" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user" evt.category="authentication" evt.name="Max MFA attempts exceeded" network.client.ip=127.0.0.1 evt.outcome="failure" usr.name="demo_user" ```

Version: 2.1.0

Framework Version: 8.18.8

Version: 2.0.0

Framework Version: 8.18.8

Release Notes: After reviewing and feedback we released 2.0 of the module. Please upgrade to this version! * When your mark this module as your favorite marketplace content you will receive notifications about new releases. Breaking change: - We removed the capability to use MFA from login.html (too complex) Configuration: - Remove MFA directory from your resources directory Improvements: - For MFA users: Max login attempts and Max MFA attempts can be configured with constants (default is 3) - For non-MFA user after the default platform attempts of 3 the user will be blocked according to the Mendix platform default and is released after 5 minutes (but read https://docs.mendix.com/refguide/login-behavior) - Improved logging message when user is blocked (so it's in line with unblocks by the Core runtime) - Reduced lines of java code - Added unit tests (if you experience issues, please check if you can create a unit test for the case) - Removed a HTML snippet and replaced this with a nanoflow + Javascript action - Create code flow is more fail proof if the custom implementation of creating code was not correct, the flow remains secure (by always setting a random code) - This Mendix 8.18.8 version of the module is Mendix 9 compatible (BlockSince attribute on User entity fix for Mendix 9 included!)

Version: 1.5.0

Framework Version: 8.18.8

Release Notes: - Added check on MFA code by the user (thanks Dirk of S-Unit for reporting after pentests!) - Added rate limit on attempts for MFA codes. Will block after user after 3 times (just like normal login attempts) - Custom info and error messages are now possible - Small documentation fixes