MFA for OAuth?

This post includes a brief overview of the history and security risks of Open Banking, describes how Cloudentity’s MicroPerimeter™ Security with CIAM can support your Open Banking initiatives, and provides access to free trial software so that you can try it for yourself.  

One of the biggest challenges facing enterprises or companies that want to engage in digital financial transactions is the ability to provide simple, seamless and secure experiences for your customers to transact. Open Banking has been introduced to solve that challenge. 

The History of Open Banking 

Open Banking was designed to enhance consumer protection and promote innovation1in banking.  It was adopted in the UK and Australia and is making its way to North America.  When Open Banking is fully built out, consumers will be able to share their credit card, debit card, bank card, deposit and transaction data with any digital enterprise that would then interact with the financial intermediary such as banks, non-bank lenders, mortgage brokers, as well as financial technology (FinTech) start-ups.  Open Banking requires that banks open up their application programming interfaces (APIs) to FinTechs. 

This means that In addition to simplifying consumer capabilities, Open Banking will also open the door for hackers and bad actors to engineer new and creative data breaches. 

Open Banking Increases the Potential for a Breach 

To safely capitalize on new B2C and B2B2C business opportunities through Open Banking, you will need to ensure that sensitive consumer data and transactions do not end up in the wrong hands; especially when they are high value transactions such as money transfers.  A Melbourne, Australia family experienced this painful reality first-hand when they lost $250,000 from the sale of their home after the funds were rerouted by a hacker who exploited a vulnerability to gain access to a digital settlement system with only password authentication.2 

Who Are You Really? 

The unfortunate family referenced in the previous paragraph were hacked because someone was able to penetrate the intermediary company and redirect the funds to themselves. If a stronger authentication model had been implemented, this would never have happened. 

Knowing where to begin to set up the security to adequately protect your applications and data for Open Banking can be daunting. Many companies do not have the level of experience needed to address this problem. But ignoring it or trying to tackle it on your own may add you to the growing list of companies with data breaches that will hurt your brand and penalize you financially.  

Access Your Free Trial 

We can help. We have designed a simple and unique platform – Cloudentity’s MicroPerimeter™ Security and CIAM (Cloud Identity Access Management).  You can access a free trial or software demo here to experience how this might work for you.  

The following steps will provide more information as well as walk you through exactly how to set this up. 

Cloudentity Safeguards the Gap between OAuth and MFA technologies 

Cloudentity’s MicroPerimeter™ Security with CIAM (Cloud Identity Access Management) platform integrates identity (MFA) with enforcement (OAuth) to safeguard the boundaries of the two related but separate systems.  The boundaries are most vulnerable to hacking attacks.  MicroPerimeter™ applies an extra layer of business security logic (policy) to create a complete, hack-proof, security management plan.  

OAuth and MFA are Core Components of Cloudentity 

OAuth is an authorization technology and MFA is an authentication technology that are both components of Cloudentity’s context-aware, dynamic authorization platform.  Cloudentity safeguards the gap that is left by OAuth and MFA technologies working independently.   

OAuth uses authorization tokens to prove an identity between resource owners (such as Facebook, Instagram, Google, LinkedIn, etc.) and third-party clients (such as retailers like Amazon or other online storefronts). A token is a piece of data that is attached to a request.  Token based authentication works by ensuring that each request to a server is accompanied by a signed token which the server verifies for authenticity and only then responds to the request. 

It is important to note that OAuth is stateless and therefore does not carry information about the last session to the next.  Therefore, each interaction request must be handled based entirely on information that it comes with.  OAuth can only verify that the token is authentic, not that the person using the token is really you. 


Cloudentity’s MicroPerimeter™ Security with CIAM Tutorial 

The following is a tutorial that shows you how to use Cloudentity’s MicroPerimeter™ Security with CIAM to set up MFA and OAuth authentication to set up 3 levels of authentication. 

Step 1 — Create Endpoints 

Let’s start where we left off in the Docker and MicroPerimeter Edge Standalone Tutorial where we created one endpoint. We need to create two more endpoints, so that we have a total of three. We need three endpoints, one for each level of authorization: 

GET / 

GET /dogs/ 

GET /cats/ 

The trailing slashes are required with our nginx example in the previous tutorial. 

Step 2 — Simple MFA Policy 

Go to Edge Gateway->Access Policies: 

  1. Create a new policy. 
  2. Delete the “fail” step.  Replace it with the Authentication Event and choose OTP.  
  3. Define the timeframe you want to check since the user executed their last MFA — we set it to one minute for testing purposes (you might want to do 30 seconds if you don’t want to wait a minute for the MFA to time out). 

In this step we also update the endpoints for our “catsdogs” example so that the three endpoints have different kinds of security: 

GET / Anonymous Traffic 

GET /dogs/ Authentication 

GET /cats/ Authentication + MFA in the last 60 seconds 

Step 3 — Enable MFA for your user 

Log into https://idaas.cloudentityst.wpengine.com to enable OTP MFA for your test user.  

  1. Click on your username in the list of users, selecting the Update User button and then setting MFA Method to One-Time Password Authentication.  
  2. In the field below for OTP method, choose email as it makes copying and pasting easier for testing. 

Step 4 — Setting up OAuth 

The Cloudentity CIAM platform running https://idaas.cloudentityst.wpengine.com includes application management for OAuth. 

  1.  Click on the Applications icon in the left-hand menu.  
  2. In the text above the list of applications, click where it read “To manage your OAuth Clients click here.” 
  3. You are in the developer portal. Click on the blue circle with the (+) symbol to add a new app. 
  4. Give your app a name and then when prompted choose the “Web” application type to get the right Auth Code grant.  This will give you a Client ID and a Secret for testing. 
  5. Test using an application such as Postman by copying and pasting the Client ID and the Secret from step iv): 
  6. Auth URL: https://idaas.cloudentityst.wpengine.com/oauth/authorize 
  7. Access Token URL: https://idaas.cloudentityst.wpengine.com/oauth/token 

You are ready to log in and get a token — note that you will be prompted to provide your MFA OTP if you did the previous step. 

Step 5 — Testing 

The last step is to test that the security flows work for each of the three endpoints. 

GET /catsdogs/ß  should require no authentication 

GET /catsdogs/dogs/ß should require the OAuth token in the previous step 

GET /catsdogs/cats/ß will work until the MFA timeout in the policy expires. Then you’ll need to either invalidate your session with Cloudentity and log in again, or using our API force an update of the OTP. 

Learn more about how Cloudentity brings Access Management and Enforcement together to provide a complete set of integrated tools for modern application design and architecture. Click here to sign up for a demo or trial. We’ll see you on the secure side of your Open Banking model. 

Resource Links 

  1. European Parliament adopts European Commission proposal to create safer and more innovative European payments (europa.eu) 
  2. PEXA account compromise sees family lose home sale funds – Security – iTnews 
  3. https://www.cnbc.com/2019/10/13/cyberattacks-cost-small-companies-200k-putting-many-out-of-business.html