Multi-factor Authentication
Black Duck’s multi-factor authentication (MFA) solution allows customers who have MFA turned on to require users to enter a secondary authentication token into the Continuous Dynamic Portal UI in addition to their username and password. This single-use secondary authentication token is delivered to the user’s cell phone via SMS text message (or via voice code delivery, if SMS is not available). Once MFA is turned on for a particular customer, all users logging in to the Portal from that customer must use MFA.
To set up an MFA user, an administrator will create a user profile for that user. The profile will include at least one, and preferably two telephone numbers: the number in the “mobile” field will be used first, and if that fails then the system will try the number of the “phone” field. Telephone numbers should be entered with the country code: for example, for the US, the phone number (234) 567-8901 should be entered as +1 234 567 8901. (Note that if the local part of the phone number has a leading zero, the zero should be omitted. A UK number 012 3456 7890 would be formatted as +44 12 3456 7890.)
To use MFA, a user will:
-
Log in with their Portal username and password.
-
Receive a text message (or voice code) with a one time authentication token (a series of numbers).
-
Enter that one-time authentication token into the field presented to them in the Portal.
If that code can be validated, the user is successfully logged in. If the code cannot be validated, the user is not logged in. The login page will offer the option of sending a new code.
If there is no cell phone number listed for the user, the system will attempt to send the message to the work phone number listed in the user’s profile. If that does not succeed, the user will be asked to contact Black Duck Customer Support; CS will help them contact their administrator to add a usable phone number to their account.
Note that MFA is set up to be required every time a user logs in. The system generates an MFA cookie with a four-hour lifespan. This protects your system from extended exposure if an unauthorized user has gained access via a legitimate user’s MFA.