+Mailing list Hello everyone,
I am working with Alex on his two factor authentication proposal for Fineract. I will do a better introduction of my interactions with the Mifos community in the future. We were discussing the MPIN implementation for the android app last weekend and we would like to get some clarity on some session management aspects; i.e. whether the logout API / inactive session expiry features did not get built intentionally or whether it is an outstanding requirement. Right now I believe the logout button in the community app deletes the basic auth key / oauth token / 2fa token from the root scope / local storage. I am not sure whom to loop in this mail from the android app side. Regards, Avik. On Wed, Aug 2, 2017 at 8:05 AM, Nayan Ambali <[email protected]> wrote: > Alex, > > I agree with Ed. It is a financial system, security always comes first > then convenience and usability. > > - > Nayan Ambali > > On 02-Aug-2017 6:00 AM, "Ed Cable" <[email protected]> wrote: > >> Hi Alex, >> >> As far as I saw it, the remember-me is just for the second factor. >> >> Ed >> >> On Tue, Aug 1, 2017 at 12:23 PM, Alex Ivanov <[email protected]> >> wrote: >> >>> Hi Nayan and Ed, >>> >>> I hope you two are going well. >>> >>> After a meeting between Avik and I we couldn't clarify one of the >>> requirements of the two-factor project. We weren't sure whether the >>> remember-me feature would apply for both first and second factor >>> authentication or only the second authentication would be bypassed. >>> >>> In general if remember-me applies for the two-factor auth only, the >>> authentication workflow is as follows: >>> >>> 1. User authenticates with basicauth / oauth >>> 2. Extended access token is generated(following the TFA workflow) >>> 3. Client saves the access token, preferably encrypting it with the >>> username & password of the user >>> 4. On consecutive logins, after authenticating with basicauth / oauth >>> user is not prompted for TFA authentication, the access token is reused. >>> >>> >>> Thanks, >>> Alex >>> >> >> >> >> -- >> *Ed Cable* >> President/CEO, Mifos Initiative >> [email protected] | Skype: edcable | Mobile: +1.484.477.8649 >> <+1%20484-477-8649> >> >> *Collectively Creating a World of 3 Billion Maries | *http://mifos.org >> <http://facebook.com/mifos> <http://www.twitter.com/mifos> >> >>
