Tutorial: Multi-factor login

Serverless AuthenticationSigning in and out Multi-factor login

The underlying model of the Webcom Authentication Service allows to bind several identities to a given Webcom account. In other words, a given user may use several authentication methods to authenticate (namely one per identity). This feature is used by the Authentication Service to implement multi-factor authentication.

When signing a user in using any authentication method, s/he is by default authenticated with only the corresponding identity. This means that if the user was previously authenticated with another identity, it is forgotten. In order to keep previous authenticated identities of a given user when signing her/him in with a new identity, and so have a multi-factor authentication, the authentication method must be initialized in multi-factor mode before performing the sign in operation.

When performed in multi-factor mode, an authentication operation merges the current authentication state into its regular resulting state in the following way:

  • If the current authentication state refers to a Webcom account different from the one bound to the user being authenticated, then the authentication operation fails. Only identities bound to the same account may enrich the current authentication state.
  • If the authentication operation succeeds, its result becomes the new authentication state and its Context attribute (see Authentication state) is updated with the concatenation of the identity referred to by the previous authentication state and the Context attribute of the previous authentication state.
graph TB S1["Current state is uid123 with:
provider1,providerId1,providerProfile1
context=[]
"] S2["Current state is uid123 with:
provider2,providerId2,providerProfile2
context=[providerId1]
"] S3["Current state is uid123 with:
provider3,providerId3,providerProfile3
context=[providerId2,providerId1]
"] S4["Current state is uid123 with:
provider4,providerId4,providerProfile4
context=[]
"] S1 --Authenticate in multi-factor mode--> S2 S2 --Authenticate in multi-factor mode--> S3 S3 --Authenticate in default mode--> S4

In order to set the next authentication operation in multi-factor mode, all you need is calling the useCurrentContextForNextAuthOperation() method before performing an authentication operation. For example a 2-factor authentication with email/password and SMS OTP can be implemented this way (replace “<your-app>” with your actual application identifier):

let ref = new Webcom("<your-app>");
// Initial authentication (in default mode)
ref.authInternally("password", theUserCredentials)
    .then(() => {
        ref.useCurrentContextForNextAuthOperation();
        // 2nd factor authentication (in multi-factor mode)
        ref.sendOtp("phone", theUserMsisdn)
            .then(challenge => {
                ref.authInternally("phone", {id:theUserMsisdn,password:getReceivedOtp(),challenge:challenge})
                    .then(auth => console.log("Logged with 2 factor authentication: ", auth))
                    .catch(error => console.error("2nd authentication failed: ", error));
            })
            .catch(error => console.error("Could not send OTP to authenticate with the 2nd factor: ", error));
    })
    .catch(error => console.error("1st authentication failed: ", error));

Coming soon!
In the meanwhile, refer to the Android API reference

Coming soon!
In the meanwhile, refer to the iOS API reference