April 16, 2015

619 words 3 mins read

Making Of: The MFA Phone (Because Twilio is too easy)

Like so many others, I strongly believe that multi-factor authentication (MFA) should be a requirement for every website. It is a cheap and (fairly) easy way in which we can secure the sites of today, that use the authentication from yesterday (well, a few decades ago), until we have the secure authentication of tomorrow. Companies like Authy and Duo are making it faster and easier than ever before to adopt MFA into your personal workflow for “Everything”.

That is, until you need to share a login with colleagues.

First, why would you share an MFA token? Shared accounts are bad, annoying, and worst of all: required. For all software that has user accounts, someone will be the supreme super root administrator god. Ideally, this is an account that is locked away into a password safe and not touched. With Software-as-a-Service (aka “The Cloud”), it is not always realistic to lock it away; that “god” user will probably cost you money (every month) and may be the only user imbued with certain powers.

There is no great way to solve the problem of allowing multiple people to use the same MFA token (preferably without having to wake up another person with a code). Solutions like Duo Mobile are great for convenience; however, there is no way to share the responsibility. Good old TOTP, aka Google Authenticator, can be shared easily. However, you have to gather everyone around to take pictures of the QR code, which can be an exercise similar to herding cats. Worse, the entire game begins again if you ever need to add or remove someone to the “list” (or if someone gets a new phone) as well. Lastly, there’s the “what if” the site/service doesn’t even support TOTP codes to begin with.

After a little brainstorming, Jon and I came up with the solution. SMS. Almost every site out there supports text messages as a MFA option, all we had to do was distribute those codes received via SMS. The first and most obvious thought is to use Twilio. Their APIs are first class and it would be very cheap to support. However, in testing, some sites wouldn’t send text messages to Twilio since it wasn’t a “real” phone. The texts just disappeared into the abyss which is both annoying and depressingly expected. Our solution to this was “The MFA Phone”.

We got a Samsung Galaxy S4 (though any half-decent Android phone will do) on our Verizon Business account with the least possible services and wired it up with a bit of Tasker duct tape and NodeJS bailing wire. Here’s the logic flow:

  • SaaS product sends MFA code to our Verizon Wireless phone number
  • Android phone receives text messages
  • Tasker reads all new messages and posts them to a small NodeJS app that we have hosted
  • NodeJS app takes the message and posts it the HipChat API.
  • Message shows up in a private, IT Dept only, room.

2015-04-01 20_38_57-HipChat - History - FIT-Team In just 5 easy steps, you’ve got SMS MFA shared among your entire team. It also happens to offer a bit of oversight if your team is attentive, as everyone knows when an MFA code was requested (typically this is on login, for most sites).

Now this might not seem like the simplest (or cheapest solution: See also VZW monthly service), however it has been very reliable for us. The only time it’s failed is when the server running the NodeJS app was restarted. Since the system was built to convey sender phone number (and name, if programmed) we expanded the usage to include “emergency notifications” from trusted corporate parties (like the CEO’s EA who’s conveying his desire we ‘jump’).

The code, in all it’s beauty is available on Github.