Two Factor Authentication

In today’s internet landscape, more and more sites are either requiring two factor authentication (2FA) or providing it as an option to their users. Two factor authentication gives an additional layer of security to a site by requiring an additional step in the login process. That second step generally requires the user to have access to a known email address, phone number, or device to complete the authentication process. The second step helps to reduce the danger that someone trying to gain access to a system can simply guess a password. This can be important in libraries where many libraries use a simple 4 digit PIN to authenticate the user.

Over the last few months we’ve been asked if that type of authentication would be possible within Aspen especially for staff that may have permissions to be able to masquerade as other users, create public lists, moderate reviews, and other actions that could have privacy concerns. With the help of our libraries, we built a two factor authentication feature that works with any ILS.

Let’s start by looking at how the 2FA system works and then we can look into how to set it up. When a user logs in the first time after two factor authentication is enabled they will be given an error message that they need to configure 2FA for themselves. They will then be sent to a dialog explaining the steps.

The dialog will indicate the email address that is on file for them with the library and when they click the Next button, an email will be sent to them containing a random six digit code. The code is good for 15 minutes and can only be used on the device that the code was generated from. After the patron receives the email, they will enter the code on the next screen.

In the final step, the patron will be given a set of backup codes that they can store in a safe place to use during login in the event that they temporarily don’t have access to their email.

These backup codes are each valid for a single use and can be regenerated within Aspen if a patron forgets them or uses all of their backup codes (more about this later).

Once everything is complete they get a success message and are able to login to Aspen Discovery.

The next time they login to the catalog, they will first need to enter their normal username and pin/password. After successfully entering the username and pin they will get an email with a new verification code to authenticate with. To prevent needing to re-authenticate multiple times over and over, the user can choose “Remember Me” to stay logged in to Aspen. The ability to use Remember Me can be disabled at specific locations though to help prevent users from staying logged in on public computers.

A user can disable two factor authentication (if they are allowed to) or generate new backup codes by selecting Security Settings in their account menu.

Now that we’ve seen how two factor authentication works for patrons and staff, let’s take a quick look at how to configure the system.

To set up two factor authentication, you will need Administer Two-Factor Authentication permission which is located in the Primary Configuration setting.

From the Primary Configuration section of the Aspen Administration home screen, add a new Two-Factor Authentication Setting. Give the settings a name that is meaningful to you. You could name it for the library, have separate settings for staff and the public etc. Then you can set which libraries and patron types the two factor authentication applies to so you can restrict to only requiring two factor authentication for staff, etc.

If a patron or staff member loses access to their email, you can select the Recover User Account option from your Two Factor Authentication Settings. The patron can then unlock their account without needing access to their email.

Some important things to remember when using Two Factor Authentication:

  • You will need an outgoing email setup for your Aspen server. At ByWater, we set up all partners with Amazon SES if desired or you can use a SendGrid account to send emails to patrons.
  • We suggest encouraging users to utilize the Remember Me functionality to avoid constantly needing to re-authenticate unless they are at public computers.
  • If you require the use of two factor authentication for patrons, all patrons will need an email address which may not be practical in your community. If you choose to use two factor authentication, consider making it optional for the general public.
  • If your ILS supports more complex PINs and Passwords, encourage patrons and staff to use stronger passwords for improved security even without two factor authentication.
  • If you need to use the account recovery functionality, make sure that you properly verify the patron is who they say they are.

We’re excited for the improved security that two factor authentication can bring. Please let us know how it works at your library!

Read more by Mark Noble

Tags