MFA for OAuth?

With new regulations such as PSD2 for Open Banking and the growing number of breaches with enormous fines, it is getting harder to rely on traditional OAuth to take care of all your security needs.  In particular, we need a way to know that you are STILL you for high value transactions, like transferring money.

OAuth, by its very nature, is stateless. The endpoint might have rules to look at user details, scopes or other attributes, but it can only verify the token, not that the person using the token is really the person it was issued to.

MFA is a way to verify that you are still you – just like you’re sometimes asked for two forms of ID, MFA gives us the confidence that nothing has been forged or stolen.  Unfortunately, MFA is usually triggered when the token is issued, and we never ask to see that second form of ID again.

Cloudentity’s MicroPerimeter™ Security has policies that are tied directly to our CIAM (Cloud Identity Access Management) platform.  So, while the token is valid, you may have a policy that says “We need to have seen a second form of ID in the last 5 minutes, this is just too valuable a transaction to trust just the token.”

By combining identity and enforcement, we take a lot of the hassle out of tying together different systems – breaches often happen in the cracks between related, but separate, systems and business security logic needs to be aware of both identity and enforcement to create a complete security management plan.

Let’s run through a few quick steps for how it works in Cloudentity.

1 — Create Endpoints
Starting where we left off in the Docker and MicroPerimeter Edge Standalone Tutorial, we need to expand our list of endpoints. We just need three so we can do different levels of auth:

GET /dogs/
GET /cats/

The trailing slashes are required with our nginx example in the previous tutorial — the main thing is to define three endpoints.

2 — Simple MFA Policy
Go to Edge Gateway->Access Policies and create a new policy. You can delete the “fail” step and replace it with the Authentication Event, and choose OTP. Then you can define the timeframe you want to check since the user executed their last MFA — we set it to one minute for testing purposes (you might want to do 30 seconds if you don’t want to wait a minute for the MFA to time out).

In this step we also update the endpoints for our “catsdogs” example so that the three endpoints have different kinds of security:

GET / Anonymous Traffic
GET /dogs/ Authentication
GET /cats/ Authentication + MFA in the last 60 seconds

3 — Enable MFA for your user
Log into to enable OTP MFA for your test user. You can do this by clicking on your username in the list of users, selecting the Update User button and then setting MFA Method to One-Time Password Authentication. In the field below for OTP method, choose email as it makes copying and pasting easier for testing.

4 — Setting up OAuth
The Cloudentity CIAM platform running include application management for OAuth.

  1. Click on the Applications icon in the left-hand menu
  2. In the text above the list of applications, click where it read “To manage your OAuth Clients click here.”
  3. Now you’re in the developer portal and you can click on the blue circle with the (+) symbol to add a new app.
  4. Give your app a name and then when prompted choose the “Web” application type to get the right Auth Code grant
  5. You can test using an application such as Postman by copying and pasting the Client ID and Secret
    1. Auth URL:
    2. Access Token URL:

Now you’re ready to log in and get a token — note that you will be prompted to provide your MFA OTP if you did the previous step.

5 — Testing
All that’s left to do is test that the flows work. Remember we have those three endpoints with different security.

GET /catsdogs/
should require no authentication

GET /catsdogs/dogs/
should require the OAuth token in the previous step

GET /catsdogs/cats/
will work until the MFA timeout in the policy expires. Then you’ll need to either invalidate your session with Cloudentity and log in again, or using our API force an update of the OTP.

Feel free contact us to learn more about how Cloudentity brings Access Management and Enforcement together to provide a complete set of integrated tools for modern application design and architecture.