How to protect your AS JAVA application with Two-Factor-Authentication (2FA) based on Time-Based One-Time Passwords (TOTP)

Goal: You want to improve the security for an application running on AS Java server using а simple 2FA solution

Prerequisite: You have а license for the SAP Single Sign-On product.

In this blog you will find the simple steps for configuring 2FA based on ТOTP for an AS JAVA application using the SAP Single Sign-On product.

Time-Based One-Time Passwords (TOTP) are passcodes generated using an algorithm that computes a one-time password from a shared secret key and the current time (see RFC 6238). SAP Single Sign-On product offers a two-factor authentication solution based on TOTP. Such authentication is considered more secure because TOTP passcodes are time-based (valid only 30 seconds), they could be used for only one logon attempt and they are issued by two means of identification: the user possesses something and the user knows something – the user possesses a mobile device, where the passcode generator is installed, and knows the password that unlocks the device. This makes the TOTP a perfect security solution for protecting a system or an application with strong authentication mechanism. SAP offers a passcode generator mobile application called “SAP Authenticator” (available at the moment for iOS , Android and Windows devices) that generates 6-digit or 8-digit passcodes.

Note: SAP Single Sign-On product offers also solutions for 2FA alternative to TOTP like One-time Password (OTP) sent via SMS or e-mail, or integration with RADIUS server (RSA, other.) but in this blog I will provide the configuration details only for 2FA based on TOTP.

How to use the 2FA based on TOTP for protecting an application running on AS JAVA:

We assume that the authentication stack of your application is currently configured to use the default Login Module called BasicPasswordLoginModule and users have to provide their UserID & Password in order to be authenticated.

In my configuration example I will use a sample Java application that simply displays the User name of the logged user and also provides information about the authentication method used.

Open the NWA using this link https://<host>/nwa and the credentials of an administrative user.

Navigate to Configuration > Authentication and Single Sign-On > Authentication tab > Components

Find the respective Policy Configuration that you want to use and see the authentication stack. In my example the screenshot is from the Policy Configuration of my simple custom Java application.

Initial state of the configuration:

The User experience before to configure the 2FA based on TOTP is the following:

The user is requested to provide his/her User and Password:

When the credentials are correct, the user is successfully authenticated. Based on the logic of my simple application the User name is displayed and also the authentication method “Password”:

Now let’s do the configuration for implementing 2FA based on TOTP:

Click “Edit” for the Policy Configuration that you want to configure and change the Login Module of the Authentication stack for this Policy Configuration from BasicPasswordLoginModule to TOTPLoginModule, keep the flag “SUFFICENT” and click “Save”.

In our example we want to keep the first stage login with User & Password and to add a second stage login where the user will be prompted to provide a Passcode (TOTP). This is why we keep the OTP settings of the system with their default values (setting “First Factor Login Module” will be with its default value “BasicPasswordLoginModule”.) Here you can see a screenshot of the default configuration in the OTP Administrative UI. To open the OTP Administrative UI use this link https://<host>/otpadmin and the credentials of your administrative user:

Now it is time to test the configuration “Password + OTP”:

First the user will be prompted for his UserID and Password

As a second stage login, the user has to provide a TOTP passcode but because there is not a mobile device configure for his account yet, the user is informed that he/she needs to activate a mobile device:

In order to test the configuration to the end,  you need to setup your mobile device for TOTP:

Prerequisite: You have the SAP Authenticator mobile application installed on your mobile device.

1. Open the self-service for Mobile Device Setup via this link: https://<host>/otp and log-in with the test account
2. Click the link “Set Up Account on Device”

3. A QR Code will be displayed. While you are using the SAP Authenticator mobile application click to “Add new account”, scann the QR code and click “Done” on the mobile app. The mobile application will start generating the TOTP passcodes immediately but before to start using them you have to finish the setup by clicking “Finish” for the self-service procedure on the PC:

Now we can finally test the configuration:

You have to start the authentication again with the UserID and Password:

On second stage login you will be prompted to provide a passcode generated for your test user via the SAP Authenticator on your mobile device. Type the current passcode and click “Log On”:

When you provide a valid passcode you will be authenticated successfully and you will see that the authentication method is “Password + OTP”:

Note: In order to make your login form to display “Passcode” for the second stage of the authentication, you have to make sure that you are using the proper “Alias of Application for Customizing Login Pages (ume.logon.application.ui_resources_alias)” with value /otp_logon_ui_resources (This alias is coming with the implementation of the SSO AUTHENTICATION LIBRARY 2.0). You have to configure it here:

Navigate to Authentication and Single Sign-On > Authentication tab > Properties. See:

One more scenario “SPNEGO +OTP”:

If you are already using a single sign-on technology in your company, like for example Kerberos/SPNEGO, it is also possible to implement easily 2FA based on TOTP. You can simply combine the login module that you are using at the moment with OTP like for example “SPNEGO + OTP” or “X.509 +OTP”.

I will provide the details about the “SPNEGO + OTP” configuration and you will be able to do the configuration also for other Login Modules following the same approach.

Note: As usual, when you want to use SPNEGO as the first authentication attempt, your AS JAVA system needs to be already configured for SPNEGO (see the screenshot with the example):

If you are currently using the SPNegoLoginModule in the authentication stack for your application like here:

You have to do two things:

1) Simply replace the SPNegoLoginModule with TOTPLoginModule for the authentication stack of your application (this is similar to the configuration we did for the scenario with “Password + OTP”) :

2) Go to the OTP administrative UI and change the default setting of the “First Factor Login Module” to be the SPNegoLoginModule and don't forget to Save. See the screenshot with the configuration below:

Now you application will be using “SPNEGO + OTP” authentication.

Test of the new configuration:

If we test the access to the application with an account already authenticated to the Microsoft domain, the first authentication stage will be SPNEGO and the user will see only the second authentication stage, where he/she will be prompted to provide a TOTP:

When a correct TOTP will be provided, the user will be successfully authenticated and his authentication method will be “SPNEGO + OTP”:

An alternative scenario “SPNEGO or PASSWORD + OTP”:

This scenario is important when you have to protect an application that is used also on kiosk/shared PCs. In such cases you have one group of users, who have a Kerberos token and the SPNEGO could be working for them, but you also have to manage secure access for another group of users, who use shared PCs, where the single sign-on is not an option. For the protection of such application you can simply configure in the OTP settings both login modules using comma separation. Simply type the BasicPasswordLoginModule  after SPNegoLoginModule like this “SPNegoLoginModule,BasicPasswordLoginModule“.

With such simple configuration you will be able to offer “SPNEGO + OTP” authentication for the first group of users (who are logged into the Microsoft Domain), and “Password + OTP” authentication for the other group of users (who use the application via a kiosk/shared PC).

Note: Make sure the SPNegoLoginModule to be configured on the first place, otherwise every user will be prompted directly for a "password + OTP" and the SPNEGO will not be working even for users who have a Kerberos token available.

See the screenshot of the configuration:

More details about the 2FA based on TOTP and all settings available for configuration you will be able to find in our documentation here:

http://help.sap.com/download/sapsso/one_time_pwd_authentic_impl_guide_en.pdf