2FA Authentication at a large bank

A large bank wants to add an extra layer of security to its client portal. With 2FA, it can better protect its clients against password theft and phishing attacks. 2FA has also caused a significant reduction in the number of brute-force attacks on its servers.

2FA, or Two Factor Authentication, means the bank sends the client a code as part of the sign-in process. Every time the client signs-in the client portal generates a new code and sends it to their mobile. When the client enters the code, the client portal grants access.

This gives the bank a number of important benefits:

  • It greatly mitigates the risk of stolen passwords and phishing attacks.
  • It makes it so that hackers cannot get in by guessing or brute-forcing passwords.
  • In case of a data-breach, the hackers can still not login to clients accounts.

All of this was realized by using the Auron SMS Server. In this use-case we’ll demonstrate how you can add 2FA to your organization as well.

We’ll start with setting up the Auron SMS Server and configuring the channels and follow by highlighting how we can add a 2FA code to the sign-in process, in this case the bank uses PHP for the sign-in to their client portal.

Setup the Auron SMS Server

First, start by downloading the SMS Server. You can setup the Auron SMS Server on a local server or in the cloud. Before you start, have a look at the system requirements and find a detailed setup guide here.

Auron SMS Server Installer - Introduction
Auron SMS Server Installer – Introduction

Create an SMS channel

There are several ways to connect to your SMS provider, for example, for lower volumes you can use a GSM modem or your mobile phone. If you expect a lot of traffic you can connect through HTTP or through SMPP. With HTTP and SMPP you can connect to multi-port GSM modems or to your provider directly over the internet.

The Auron SMS Server includes presets for a couple of more well known SMS providers. Also, many provider include support for WhatsApp or other instant messaging application that you can use with the Auron SMS Server.

Create Auron Channel
Create Auron Channel

Create an HTTP API channel

The Auron SMS Server supports a REST API to send any message type directly from your application or from your web portal. Setup this API by creating a new HTTP REST API Channel.

With this channel you can create and send any message type by sending either an XML or a JSON request. Also, you can specify credentials to make sure this channel is only accessible if you use the right API key or if your request originates from an IP address on your allow list.

HTTP API Channel
HTTP API Channel

Send a 2FA code

With the Auron SMS server now setup and correctly configured, we can send a 2FA code from the sign-in. In PHP that looks like this:

   // Generate a temporary authorization code
   $sNewCode = '';
   for ($i=0;$i<6;$i++)
   {
     $n = rand(0, 16);
     $sNewCode = $sNewCode.($n < 10 ? chr($n + 48): chr($n + 55));
   } 

   // Store the authorization code in your session 
   $_SESSION['code'] = $sNewCode; 
   $_SESSION['cval'] = date_add(date_create('now'), 
     date_interval_create_from_date_string('5 minutes')); 

   // The base URL is the SMS Server + channel 
   $BASEURL = "http://localhost:7000/HTTP_API1"; 

   // Use the create.json to send an SMS using JSON 
   $url = $BASEURL . "/messagedb/create.json"; 

   // Send the SMS by creating the message as 'SCHEDULED'. 
   $objMessage = array( "message" => array(array( 
           "TypeID"                 => "SMS"
         , "StatusID"               => "SCHEDULED"
         , "ToAddress"              => $sToAddress
         , "Body"                   => 'Your authorization code: '.$sNewCode
     ))
   );
   
   // Make the API call
   $result = http_call($url, json_encode($objMessage));
   if ($result === FALSE) 
   {
     echo("<h2 style='color: #f00;'>Error while connecting to HTTP API. " . 
          " Please make sure you have an HTTP API channel configured.</h2>"); 
     exit; 
   }

This code does a couple of things: First we’re generating a 6 character code that we’ll store in this session so we can refer to it later.

Next we’ll create a new SMS message in the Auron SMS Server. This message contains your 2FA authorization code and is scheduled for immediate sending.

Verifying the 2FA code

When the code is sent we can wait for the user to enter the code in the web page. Since we’ve stored the 2FA code in a session variable it’s easy to verify it.

   $sVerifyCode = $_SESSION['code'];
   if ($sVerifyCode != $sCode)
   {
     echo("<h2 style='color: #f00;'>Error: Invalid authorization code!</h2>"); 
     exit; 
   }

And that’s it! That’s how easy it is to use the Auron SMS Server to implement a fully custom 2FA process.

If this is something that could help your business and you would like some more information or a demonstration, please let us know.