For increased security MediaSilo recommends that users configure multi-factor authentication (MFA); which adds an additional layer of security by requiring users to enter a unique security code from an approved device.
MFA must be configured on a per user basis and must be setup by the user. MFA can not be setup for a user by a third party. An admin on the same account can remove MFA for a user if the authentication device is lost or damaged.
How to Configure MFA
Enabling MFA for a user is a two step process, once enabled the user will be required to enter the security code every time they authenticate with the MediaSilo platform.
Before the setup the user will need an MFA device that supports the TOTP algorithm; the Google Authenticator is a great option that supports this algorithm and is available on most devices.
Generate MFA Key
You first need to generate a key that will be used to generate the security code, to do this you will need to make an authenticated request to the MediaSilo API with the user that wants to enable MFA.
POST /v3/mfa/key
This request will return the following JSON object:
{
"key": "HMFXTL6CM4GZBCP6",
"qrUrl": "https://chart.googleapis.com/chart?chs=200x200&chld=M%7C0&cht=qr&chl=otpauth%3A%2F%2Ftotp%2FMediaSilo%3Asimonlamprell%3Fsecret%3DHMFXTL6CM4GZBCP6%26issuer%3DMediaSilo"
}
The field labeled 'key' contains the MFA security key needed to setup the MFA device. The JSON object also contains a field 'qrUrl' which is a link to a scan-able QR code which can also be used to setup the MFA device.
Once the device is configured to use this key, you have to complete the MFA setup by sending a device generated code to the MediaSilo API.
POST /v3/mfa
{
"code":"123456"
}
After this request completes successfully MFA will be enabled for this user. The following authenticated request will remove MFA from a users account:
DELETE /v3/mfa
Authentication with MFA
Enabling MFA changes how a user is authenticated when making requests to the MediaSilo API. Basic Auth is supported but not recommended because the security code changes every minute which would require the user to re-enter the security code. This would be a bad user experience, which is why we suggest using sessions. With sessions the security code is only required when creating the session, after that authorization is done with the session which allows for a more consistent user experience.
Session Authentication
The process of authenticating with a session remains unchanged by MFA except when you create the session. Creating the session happens as it did before except it now requires the field "code" as well as the usual "username", "password", and "hostname". If you try to create a session for a user with MFA enabled with out passing the security code, the session creation will fail with the error "This user has MFA enabled but no code was provided."
Basic Authentication
Using this method a new header will be required for users with MFA enabled. Any user with MFA enabled that does not provide this new header with a valid security code will receive a 403 Unauthorized response. The new header required is "MediaSiloMfaCode" whose value must be a valid security code from the MFA device.
The security code is a time based code, which means it is only valid for a certain amount of time. When the security code expires a new one will need to be generated and passed along in this header.