Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
Data structure

...

This entity defines authentication factors entity information structure:


ColumnTypeM/OPurpose
iduuidM
user_iduuidMUser FK 
typevarcharM
factorvarcharOFactor value
is_activebooleanM
inserted_attimestampM
updateed_attimestampM



typefactor 

SMS

"+380677778899"
PHONE"+380677778899"
EMAIL"pupkin.vasya@gmailvasya@gmail.com"


Users

This entity enrich a few attributes:

  • Store counters new parameters for 2FA in  in `users.priv_settings` as structure :


    {
        "login_
    error_counter": 0
    hstr": [
               {"time": "2017-12-26T10:11:38.232508", "type": "password", "is_success": false}
             ],
        "otp_error_counter": 0
    }


  • Information about blocked/unblocked directly in entity `users`. 


    ColumnTypePurpose
    is_blockedboolean
    block_reasonvarchar (255), NULL


...

ColumnTypeM/OPurpose
iduuidM
keyvarcharMСomposite key: <token.id> + <separator> + <Value of factor>
codevarcharMValue of OTP
statusvarcharMStatus (Dictionary: OTP_STATUS)
code_expired_attimestampMTimestamp which OTP expired (now() + param from config)
attempts_countintegerOCount of trying OTP authorization process
updateed_attimestampM

State charts

2FA state chart

We need minimal 4 state for user & 2FA:

  • DISABLED - Disable 2FA for this user (via NHS Admin)
  • BLOCKED - User blocked after N-unsuccessful attempts via authentication process.
  • RESET - NHS Admin reset value of factor or factor type. At first login user must fill value of factor.
  • ACTIVE - normal status: 2FA enable 

Propose don't use statuses model, and use logic calculating for state 2FA user:

 


Logic status for 2FA & user Purpose
RESET

User don't blocked (`is_blocked`=false) & exist 1 active item in `authentication_factors`  with empty value of factor .
Examples for type = SMS:

(      factor = NULL  or factor = "" )

ACTIVEUser don't blocked (`is_blocked`=false) & exist 1 active item in `authentication_factors`  with fill value of factor. 

Examples for type = SMS:

(       factor= "+380677778899"  )

DISABLED

User don't blocked (`is_blocked`=false) & not exist any active items in `authentication_factors` 
(SELECT * FROM authentication_factors AS 2FA 
WHERE 2FA.user_id = $.user_id AND 2FA.is_active = 1

-- return  0 rows)

BLOCKED

User have `is_blocked`=true 

(SELECT * FROM users AS U
WHERE U.id = $.user_id AND U.is_blocked = true

--- return 1 rows)


OTP states 

  • Dictionary: `OTP_STATUS`


    ValuePurpose
    NEWInitial status for newest OTP item. Ready to use in OTP verification process.
    VERIFIEDStatus for successful OTP verification process
    UNVERIFIEDStatus for unsuccessful OTP verification process
    EXPIREDExpired after OTP lifetime.
    CANCELED

    Status for manual admin action.


  • Status Chart for OTP
  • Transitions


    From
    Transition
    Result

    Created new OTPstatus = NEW
    status = NEWSuccseful OTP verifystatus = VERIFIED
    status = NEWUnsuccseful OTP verify afterexcess of count [param: OTP_ERROR_MAX] status = UNVERIFIED
    status = NEW[AUTO] Termination process after end of life-time OTP [param: OTP_LIFETIME]status = EXPIRED
    status = NEWAll OTP by `key` in status=`NEW` before creating new OTPstatus = CANCELED


...