OTP/MFA Implementation

Is there any news on the progress of OTP For Login validation - BIZ / BIZ Feature Requests - TMS Support Center (tmssoftware.com)?

Our clients are asking us for the use of authenticator apps. We have implemented this for our non-Sphinx apps, but it would be great to be able to do this here.

Not yet, but it's high in our priority list. We will implement it as soon as we can. Sorry about that.

1 Like

MFA is now a requirement for all users of online systems to comply with the the latest version of the UK's Cyber Essentials so would be create if this could be implemented

By the way, the email that Sphinx already provides (which can also be used to send an SMS) is already sufficient for UK Cyber Essentials. Obviously people want the authenticator stuff, but to get signed off for certification you can use what is there.

@wlandgraf while you are at it, this seems to be all the rage FIDO2 - FIDO Alliance

@Weetch_Russell that is on our radar as well. Actually, more specifically the Webauthn standard, is that what you are looking for? A new feature request could be created so we can track. Both will be implemented.

1 Like

Thanks @wlandgraf I have added a feature request for that, plus another one for Sphinx MFA management.

1 Like

Has the WebAuthn standard made it to your roadmap yet?

Definitely in the list of things that we will do. We don't have a timeframe yet, though.

1 Like

Just wanted to register my interest for this.

BTW, with email already there for the email confirmation, can it be easily made to send OTP codes on user signon even now?

There is an event in the SphinxServer for sending OTP code by email (or you could use SMS).

You mean OnGenerateEmailConfirmationToken? - it's only used for email validation. I need Sphinx to be able to also do OTP as part of signon, i.e.: prompt for the name, password and then email OTP and prompt for it, before the signon is complete, as a 2nd factor authentication.

@Alexander_Pastuhov you are correct. This is a critical step for any login authentication. There should be a GenerateLoginConfirmationToken event and ideally it should also support the MFA apps (like Google Authenticate and Microsoft Authenticator). OTP is essential for Cyber Essentials certification.

@wlandgraf have I missed something in Sphinx for this? If not where are these developments in the Sphinx pipeline at the moment? If they are a long way off I think I'll need to do something as an alternative until then.

At the same time, I'd like to plug in some custom code in that prompt, which potentially can do a variety of things, like rejecting specific email addresses, or adding a TOTP prompt to the login prompt, changing layout, styling, changing favicon, adding extra text and JS, etc. But the entire form is shipped in JS, ZIP'ped into a resource, so it's hard to get to: I would need to extract it, modify and bundle it back as a resource - hardly a proper way for a Delphi developer to do things (albeit still doable). So a related request would be to externalize this form into a separate Delphi PAS/DFM, so it can be modified if need be.

Or to rephrase: if this login prompt were a normal, easily customizable Delphi form, I could just add TOTP 2FA easily enough myself. But as it stands, we have all these additional requests now...

I can confirm this has moved to high priority here. We plan to release something already in February.

1 Like

Much appreciated! Will the Login form become customizable as well?

Login form is already somewhat customizable in different ways.

Ok, yes, also the logo, I know, but that's really not enough for me, I'd much rather have a PAS/DFM to work with, or have a way to plug mine in...

Would also be nice to be able to use (or not) cookies to sign the user in promptlessly, ideally configurable by user (or their Group).

I.e.: Azure is normally very lax and would typically not require explicit login every time. But that's configurable and can be changed to require login more frequently, or less frequently, or every time. That's on top of 2FA, which is a separate option and can also be configured to be more or less lax.

Is it still on schedule for February? I've been holding off for the moment to avoid reinventing any wheels...

1 Like