Google Authenticator is a popular app to enable a mobile phone as a second factor for authentication. It’s based on the TOTP standard, which Curity Identity Server supports. In this tutorial, we’ll describe how to set it up.
You will need an installation of Curity Identity Server with the basic setup completed. You can achieve this by following our Getting Started Guides. Alternatively, if you have a system up and running with your own configuration, you can use that as well. Just be aware that you probably have different names set for certain components.
First, create a new Authenticator by giving it a name and selecting the
Since we’ll use Google Authenticator as a second factor, we still need a first factor. For this demo, we’ll use the HTML form Authenticator called
username-password. Add it both as a Login and as a Registration prerequisite. This will also let the Authenticator know which account the device is bound to.
Then, choose which
Account Manager to use. Select the
default-account-manager. Then configure which
Bucket to use. Select
default-bucket. Keep in mind; Google Authenticator only supports the SHA-1
Algorithm. If you are using other TOTP apps, they might support stronger algorithms.
Lastly, we must set the source of the key. The key could either be pre-generated or generated on the fly. If it is pre-generated, use the
pre-shared-key-configuration. If not, you can let Curity Identity Server generate it on the fly when a new device is registered. To configure this, select
generated-key-config and choose which
Bucket to store the key in. We will choose the
default-datasource again. We will also set the
Issuer to make it easy for the end-user to identify this account in the Google Authenticator App. Set it to
Curity test server.
Once you set up the Authenticator, you must register your device to your user account. Accomplish this by clicking on the
Register new device link in the Authenticator. This will bring up a QR code. Scan this code with the Google Authenticator App and press
Next to confirm your setup is correct.
Now, you can authenticate with Google Authenticator on your mobile phone as a second factor. You can also manage your devices via SCIM and set devices to expire after a certain amount of time. In this example, we used a one-factor authentication to register the device, but a two-factor process would be more secure in production.