MFA authentication using BR's HTTP Client

More advanced topics discussed.

Moderators: Susan Smith, admin, Gabriel

Post Reply
bluesfannoz
Posts: 282
Joined: Fri Jun 19, 2009 9:01 am
Location: Lawrence, Kansas
Contact:

MFA authentication using BR's HTTP Client

Post by bluesfannoz »

We have had several clients who's insurance policy is requiring MFA authentication on their software products.

So I looked into adding a connection to a webservice offered by Twilio called Authy. You can download their application to your phone and register it and it will generate TOTP tokens for you to authenticate against.

So I have been playing with getting BR to talk to their api and authenticate their token. Success!

Here is an example of the necessary http.ini settings:

Code: Select all

header X-Authy-API-Key: {API KEY Setup on the Twilio Website}
header Content-Type: application/text;charset=utf-8
user-agent curl/7.79.1
BR Code to Verify a supplied code:

Code: Select all

00010     Dim http$*65535,ZB$*4096,URL$*4096
00030     LET httpclient=22 : Let RECL$="4096"
00050     Print Newpage : Print Fields "10,1,C": "Enter Authy Code:"
00070     Input Fields "11,1,C 7,S:T[Y]": Pass$
00170     Let URL$=TRIM$("https://api.authy.com/protected/json/verify/"&TRIM$(PASS$)&"/{AUTHY_ID_FROM_WEBSITE}")
00190     Open #httpclient: "name="&URL$&",CONTROL=http.ini,http=client",Display,Outin Error NO_HTTP Ioerr NO_HTTP
00210     Goto GOOD_HTTP
00230 NO_HTTP:!
00250     LET ZB$="Error "&STR$(ERR)&" Trying to open HTTP connection" : Let MsgBox(ZB$) : End
00270 GOOD_HTTP:! By Opening with Linput rather than Print, this is a GET HTTP Request that is required by Twilio
00310 do While File(httpclient)=0
00330    linput #httpclient: http$ eof done_http_1 Err tst_err
00350    Goto lp
00370 tst_err:!
00390     If err=4145 then goto lp
00410     LET ZB$="Error "&STR$(ERR)&" Waiting on Connection" : Let MsgBox(ZB$) : End
00430 lp:    loop
00450 done_http_1:!
00460     IF POS(http$,CHR(34)&"token"&CHR$(34)&":"&CHR$(34)&"is valid"&CHR$(34))>0 Then print fields "15,1,C": "Token is Valid!" Else print fields "15,1,C" :"UnAuthorized!"
00490     Close #httpclient:
Link to Authy Api:
https://www.twilio.com/docs/authy/api
Steve Koger
Computer Specialist
SEKESC-MACS Division
GomezL
Posts: 248
Joined: Wed Apr 29, 2009 5:51 am
Contact:

Re: MFA authentication using BR's HTTP Client

Post by GomezL »

Nice tool!

In our application, I create an environment variable that stores an encrypted "Hex Code."

In the setup routine of my primary library, I check to make sure it's properly configured, and if not, then I trap it for "Unauthorized Use."

Sometimes a sophisticated user will try to load a program and run it directly, and you want to make sure you properly enforce security.
Post Reply