Multi-Factor Authentication in finPOWER Connect Cloud

Tuesday, 3 November 2020 by Paul Hammond

Version 3.03.04 introduces Multi-Factor Authentication. This adds an additional layer of security to finPOWER Connect Cloud by forcing Users to enter a second password (or code) that is either generated via an Authenticator app or emailed to their registered email address.


With the addition of Multi-Factor Authentication, security can now be increased in finPOWER Connect by forcing Users to enter an auto-generated password (or code) when they sign in.

This makes the sign-in process a little more lengthy but ensures that, even if a User's password is compromised, an attacker can still not gain access to finPOWER Connect Cloud without first (depending on the Multi-Factor method configured) gaining access to the User's mobile device or their email account.

Firstly though, we'll briefly cover restricting access to the Web Administration facilities and also, the existing Device Authorisation functionality.

Web Administration Facilities

Both finPOWER Connect Cloud and Web Services have web-based Administration facilities.

These facilities do not support Multi-Factor Authentication. However, they can, and should in a production environment, be configured to "Allow local access only".

This means that the administration facilities can only be accessed via a browser running on the web server hosting the Web Services or finPOWER Connect Cloud.

Created from paste into Topic content

WARNING: Version 3.03.04 introduces this option and it is enabled by default. This means that access to the Web Administration facilities, even for existing installations, will be restricted to a browser running on the web server.

Device Authorisation

Device Authorisation provides a mechanism by which, every time the User accesses finPOWER Connect Cloud from a new device (or web browser), they are sent a code via email that they must then enter to "authorise" that device.

This is a once-only form of Multi-Factor Authentication and has existed in finPOWER Connect Cloud since it was first launched. Users can view and maintain their list of authorised devices from the User menu, Manage Devices form (shown below) and, as of version 3.03.04, administrators can manage this list from the Web Access page of the Users form within finPOWER Connect desktop:

Created from paste into Topic content

NOTE: Device Authorisation can be used in conjunction with the new Multi-Factor Authentication functionality.

Multi-Factor Authentication Configuration

This is enabled from the Security page of the finPOWER Connect Cloud Configuration form.

Created from paste into Topic content

You can opt to exclude Users of certain Roles from having to enter a Multi-Factor Authentication code.

You can also allow Users the option of deferring re-entry of a Multi-Factor Authentication code for a number of days on a particular device.

Email Code

This works identically to Device Authorisation in that, upon signing in, the User will be sent a 6-letter code to their registered email address. They must then enter this code (which is only valid for 5 minutes) to allow them to complete the sign-in process.

NOTE: This method relies on the User having an email address defined on their finPOWER Connect User record.

Authenticator App

This requires the User to install one of the many available Authenticator apps (Google Authenticator, Microsoft Authenticator, Authy etc) onto their mobile device.

Upon signing in for the first time, the User is prompted to scan a QR code using the app and the camera on their device.

The Authenticator app will generate a 6-digit code that changes every 30 seconds. The User must enter this code to complete sign-in.

Whenever the User signs in in the future, they simply open their Authenticator app and enter the latest 6-digit code that is displayed for their "finPOWER Connect" account (the "account" terminology may vary between apps).

NOTE: This method relies on the Web Server hosting Web Services to have an accurate date and time set since the codes are time-sensitive.

Multi-Factor Authentication in Action

Since the "Email Code" method of Multi-Factor Authentication is identical to the existing Device Authorisation mechanism, this section focuses on the "Authenticator App" method.

Firstly, all Users must install an Authenticator app on their mobile device. It shouldn't matter which app they choose but we have tested against:

Each app looks slightly different and some may require to you sign up to use their service. Google Authenticator doesn't and is shown below (ignore the blurb referring to your Google Account; you don't need one and it is irrelevant to our example):

Created from paste into Topic content

The User signs using their usual User Id and Password.

Created from paste into Topic content

Upon clicking the "Sign In" button, they will be prompted to scan a QR code using the Authenticator app.

Created from paste into Topic content

In the case of Google Authenticator, we now click "BEGIN SETUP" and then "Scan barcode" (these apps refer to bar codes and QR codes interchangeably):

The Authenticator app will require access to the mobile device's camera. Once scanned, the app will show a continuously regenerating 6-digit code which is then entered into the Multi-Factor Authentication" form in finPOWER Connect Cloud.

Created from paste into Topic content

The User then clicks the "Finalise Multi-Factor Authentication and Sign In" button to sign in.

The next time the User signs in (or if their session expires), they will be required to enter the latest 6-digit code as displayed in the Authenticator app, e.g.:

Created from paste into Topic content

If configured, Users are given the option of not being prompted for the Multi-Factor Authentication code for a number of days. This applies only to the device they are currently signing in from.

Oops, I Left My Phone at Home!

Users will probably install the Authenticator app on their phones. Phones get left at home, batteries run out etc.

Without access to the Authenticator app, the User will be unable to sign in.

Luckily, the Users form within finPOWER Connect desktop has a "Create Emergency Code" button on the Web Access page. This generates a 6-letter code that is valid for 2 minutes and can be relayed to the User to allow them to sign in.

Created from paste into Topic content

Oops, I Accidentally Deleted the Authenticator App!

At some point, a User will probably delete the Authenticator app (or their finPOWER Connect Cloud "account" within the app) or, maybe, lose or reset their mobile device.

Since the "Authenticator App" Mutli-Factor Authentication method relies on the app holding an "account" that was added when first scanning a QR code, the User will no longer be able to access finPOWER Connect Cloud.

Luckily, the Web Access page on the Users form within finPOWER Connect allows you to "Reset Multi-Factor Authentication":

Created from paste into Topic content

Once reset, the User will be prompted with a new QR code to scan the next time they sign-in (which you would typically ask them to do immediately after resetting their Multi-Factor Authentication).

Other Implications of Multi-Factor Authentication

  • When changing their password, Users will be forced back to the sign-in form
  • When their session expires due to inactivity, the User will need to enter a new Multi-Factor Authentication code
    • Since email codes are only valid for 5 minutes, this means the User needs to click a button to send an email if not using an Authenticator app

External Applications Accessing Web Services

Enabling Multi-Factor Authentication for finPOWER Connect Cloud will mean that any external applications accessing finPOWER Connect Web Services will fail to authenticate.

To remedy this, Multi-Factor Authentication can be disabled via the Web Subscriber record that the external application is using:

Created from paste into Topic content

WARNING: If you are using Multi-Factor Authentication and disable Multi-Factor Authentication on the Web Subscriber that finPOWER Connect Cloud is configured to use, the sign-in process will fail since this represents a configuration error.