One of the new features of SAP Single Sign-On 2.0 SP3 is support for two-factor authentication with SAP Authenticator, a one-time password generator. In my blog, I will show you how to use a second authentication factor for high security scenarios.
Do you want to make it hard for an attacker to impersonate you and compromise your user account?
Imagine a solution that provides a one-time password generated on your mobile device. Imagine this password is valid for 30 seconds and can only be used once. Now combine it with another authentication factor, like your corporate password.
It seems hard to hack two passwords at a time, isn’t it? Even if an attacker steals your mobile device he still needs your corporate password to authenticate and vice versa.
With SAP Single Sign-On 2.0 SP3 you can have a solution to some of the most serious threats companies face today – identity thefts and data breaches. It provides two-factor authentication with one-time passwords as an additional layer of security on top of passwords (two-step verification). Of course, using one secure password is good but using it with two-factor authentication is even better.
Beside security concerns, the solution addresses some usability and cost saving issues. Just read on.
The main goal of two-factor authentication is to prevent an attacker from accessing your account due to a compromised password.
In fact, without using the SAP Single Sign-On solution companies are facing security problems because their users need to maintain and remember large number of passwords which results in insecure credentials.
With the already existing capabilities of SAP Single Sign-On, companies are safe. Their users need to authenticate with only one password to gain access to multiple systems.
By introducing two factors to the authentication process – a password (something the user knows) and a one-time password generated on a mobile device (something the user has), the SAP Single Sign-On 2.0 SP3 solution makes companies even safer. It adds an additional layer of security for scenarios that require a very high level of protection.
One-time passwords (OTP), referred to as passcodes, are 6-digit codes generated by the SAP Authenticator mobile application (available on Apple Store for iOS devices with its first version). They are short lived and cannot be reused across websites.
To add more on the security side, the SAP Authenticator provides a secure storage of the secret keys used to generate the passcodes. You can also protect the mobile application by setting up a password in case your mobile device is lost or stolen.
You can use the solution to log on to SAP systems via Secure Login Client, via SAML (using SAP NetWeaver Application Server (AS) Java as an Identity Provider) as well as to log on to web applications running on SAP NetWeaver AS Java.
Basically, what you need to benefit from the solution is an administrator to configure an SAP NetWeaver AS Java system to require two-factor authentication, and a user to install and activate the SAP Authenticator on a mobile device.
- The administrator needs to configure the system to require two-factor authentication by using two login modules to authenticate the user: the TOTPLoginModule and the BasicPasswordLoginModule. For more information, see: One-Time Password Authentication Administrator’s Guide
- The user (employee) needs to install the SAP Authenticator on a mobile device and activate it by completing the User Activation of SAP Authenticator wizard. It is a two-step process that requires the user to download the SAP Authenticator from the Apple Store or scan a QR-code, then set it up and verify it. Currently the application runs on iOS mobile devices only. For more information, see: Using SAP Authenticator on Your Mobile Device: User Guide
- Once ready, the user can log on with a password and a passcode to any SAP system or application that requires OTP authentication and that the user can access with the activated account.
Third Party Solutions
By providing a two-step verification with one-time passwords generated by the SAP Authenticator mobile application, we offer an all SAP solution which can reduce total cost of ownership for customers that otherwise would use a third party product.
In addition, the SAP solution is an interoperable solution, meaning the server provides QR codes that can be scanned by third party mobile applications (like Google Authenticator application), and also gives the SAP Authenticator mobile application the ability to generate passcodes for non-SAP sites (like Dropbox, Gmail).
Just try it, to make sure it is easy to use and hard to abuse.