Securing your online SAP account with Multi-Factor Authentication
In this blog post I will briefly explain what Multi-Factor Authentication (MFA), what is in those authentication QR Codes -> otpauth URI scheme and mention different applications/services that can be used to generate one-time passwords (OTP) required for two factor authenticator (2FA).
What is Multi-factor authentication (MFA)?
I’m sure most of you follow some common security practices to protect your online accounts 😃, e.g. don’t reuse password across services, generate random strong passwords, use a password manager to store all those strong passwords, update a password if an online service has been compromised and enabling MFA where available.
To keep online accounts secure, we lately see more services adopting MFA, e.g. MFA was recently enabled for the SAP Ariba developer portal. MFA adds an additional layer of protection when accessing a website/application, as it will require two pieces of evidence (password + OTP), instead of just one (password), to grant you access to a website/application. For example, lets assume that you have enabled MFA to access an online service, even if the password you use to login to the service has been compromised, your account will still be secure/inaccessible as it will require an additional piece of evidence, e.g. OTP, to grant you access to it.
Enable MFA in your SAP account
You might be aware that SAP accounts support multi-factor authentication. If you haven’t enabled it, I encourage you to do so to keep your account secure. You can do this by visiting https://accounts.sap.com to manage your profile. When you enable MFA, you can configure Time-based One-time Password (TOTP) 2FA and although the SAP Authenticator app is suggested as a means to generate the OTP, it is not the only application you can use to generate the passcode.
Time-based one-time password (TOTP) is a computer algorithm that generates a one-time password (OTP) that uses the current time as a source of uniqueness. Source: Wikipedia – Time-based one time password.
What is in the QR Code?
If you retrieve the text in the QR Code, the content will look something like the following:
This long string follows a URI (Uniform Resource Identifier) string format, see URI specification RFC 3986 and it is a standard, which is why it is commonly used by multiple online services and will enable you to get an OTP using different application/services. Lets unpack the URI:
- otpauth: Scheme name, originally formalised by Google. If you want to learn more about the history of this, check out this answer in Stack Exchange – https://softwareengineering.stackexchange.com/questions/210597/who-invented-the-otpauth-uri-scheme
- totp: This specifies the type of our otpauth. In our case, time-based one-time password.
- accounts.sap.com:email@example.com: The label includes the issuer and account name, issuer being accounts.sap.com and the account firstname.lastname@example.org. This is the unique identifier of the credential and it prevents clashes with different accounts in the same issuer.
- secret and issuer parameters: The secret is provided by the issuer and it is used to generate the passcode that is required as OTP. The issuer in this case is the same, accounts.sap.com.
Now, let’s get back to how to generating an OTP.
Generate a OTP
It is common to suggest using a mobile application for 2FA, e.g. SAP Authenticator, but even a mobile device is not necessary to configure the secret key and generate the passcode required for 2FA. Below I will list a few mobile applications/services that you can use to generate OTPs. As explained before, this is a standard therefore it is possible to generate an OTP with multiple applications/services. It is likely that you already use one of the applications/services listed below and it is just a matter of configuring a new account on them.
- Mobile applications:
- Desktop/mobile/web-browser plugins applications – Don’t have a mobile phone, not a problem there are alternatives….
- Self-host – Prefer hosting your own infrastructure/services:
Now that you are familiar with multi-factor authentication and know different applications/services you can use to generate OTP, make sure you enable it for all services that offer the functionality so you can keep your online accounts secure.
If I changed phones, how do I set MFA up in my new phone again?
My SAP account profile online says MFA is already setup but in my new phone I don't have it set up yet, and when trying to add it it to my authentincator app it asks for a QR code from SAP.
Where do I get such QR code when MFA has already been setup in an older phone (which I lost access to).