Page History: Two Factor Authentication
Compare Page Revisions
Page Revision: 2017/04/10 13:05
T4 now has two-factor authentication to allow for an easier and more secure login.
Setup
To setup go to www.t4login.com and login with your firm, username and password. Once logged in to the user setup web page you will see a new link called "Setup Security".
All new and existing users will be set to "Not Enabled" by default.
In order to enable 2FA, the user changes the setting to Enabled, enters his phone number, and then clicks Continue.
This phone # must be able to receive txt messages via SMS. Landline phones are not supported.
If the user does not have a cell phone, or simply prefers to use email instead, there is a link to change that.
If two-factor authentication is not enabled for the user until they successfully verify their phone number/email. When they click "Continue" a 6-digit verification code will be sent and they must enter it and click submit.
Usage
After setting up 2FA, the user will be required to authenticate every device he uses to log into T4.
The user will log in using his firm/username/password just like normal.
Pic
If the user has not 2FA authorized this device yet, then the user will be sent a 6-digit authorization token and the application will prompt for it:
Pic
Once the user enters the 6-digit code, the users’ device will be considered “authorized” and this second step will not be required again.
Device Management
The “Setup Security” screen has a link to manage devices.
This screen shows the devices the user has 2FA authenticated, some usage information, and gives an option to delete device entries.
Old API Support
2FA is supported for all older version of T4 and apps written to older versions of our API.
When the user logs in using an old version, the login will fail, however an authentication token will be delivered to the user.
As the message explains, the user needs to append the 6-digit code to his password on the next login attempt.
So if the users’ password is “g01ng8roke”, he will type “g01ng8roke193566” on his next login attempt.
Non-Supported Applications
Two-factor authentication is not possible in cases where we cannot receive a unique device identifier. FIX applications are a good example.
Also, some applications log in additional users, and it is not possible to support 2FA in this case.
A prime example is Sierra Chart. SC connects to us using FIX and then logs in their end users as additional users. SC runs on dedicated servers, so the end users cannot authorize the SC server.
For applications that cannot support 2FA, we have created an alternate authentication mechanism called an “application password”.
For these applications, the user will create a dedicated password for the application and configure it in their user setup.
Application passwords are maintained on the same web page as the users 2FA devices. If the user is allowed to use an application, and the application is flagged as supporting application passwords, then the application will be listed.
The user will click the link to “Create” the password.
A application password will be generated for this application and displayed to the user.
The user will copy/paste this password into whatever setup screen the application vendor has provided.
The password will not be displayed to the user ever again. Instead, they will simply remove it, and create a new one.
Once a application password has been created, our servers will only authenticate the user using that password when logging into that application. In this case, 2FA will not be required. However, 2FA will still be required when logging this user into other applications.
This password is not intended to be used where the user needs to type the password in for regular login. It si intended for cases like Seirra Chart, where the user configures his T4 login on some kind of central server.
Also, just a note, none of this is necessary if the user does not enable 2FA on his user account.
Clearing 2FA Devices
Once a user has authorized a device, it is remembered “forever”, but not really. The user devices are cleared whenever the user changes his password, or an administrator unlocks his user account.
Additionally, the user can manually clear one or all of his devices in the administration web page.
The following will also be considered new devices:
- T4 web sites – Forgotten when cookies are cleared (includes web trader).
- T4 Mobile (Android/iOS) – Forgotten if the application is completely uninstalled and re-installed (not forgotten for updates).
- T4Screens and any 3rd-party API programs – Tied to the device MAC address, so not forgotten easily.
Send to Email
If the user forgets or loses his phone and cannot receive a text message, the authentication token can be sent to his email instead.
The screen that prompts for the authentication code will display a link to send the code to email instead after a 20-30 second delay:
Other Changes
As part of adding 2FA, we have also improved how we store user passwords. We are now using industry standard encryption and storage techniques. This is all done behind the scenes and there is nothing to test for it. Every time a user logs into T4, our system will check to see if the users’ password has been upgraded and will make the necessary upgrades.