User Authentication

FX Mobile supports both one-factor (1FA) and two-factor (2FA) authentication, and includes a dual-permissioning system that maintains separate sets of permissions for one-factor and two-factor authenticated clients.

FX Mobile's dual-permissioning system provides users with two access modes: read-only access (view mode) for one-factor authenticated users, and trading access (trade mode) for two-factor authenticated users. Users select which mode they require when they login. Users who select view mode can later upgrade to trade mode by providing the second factor of a 2FA login without the need to log out and re-authenticate in full.

Architecture

The diagram below illustrates the main components of FX Mobile's authentication system. The two-factor authentication system supports numeric one-time passwords (OTP) that are either sent by SMS or generated by hardware key.


The user selects which mode they wish to login to, and provides the credentials required by the access mode:

  • View mode: a username and a password
  • Trade mode: a username, a password, and a one-time password (OTP) provided by an SMS message or a hardware key

System startup

1a/2a: Permissioning Adapters retrieve and cache permissions from the Back-end Permissions System.

User opens the mobile app

3: FX Mobile sends a request for '/parameters' to the SignOn Servlet. This request is not intercepted by the CSRFGuard Filter. The SignOn Servlet returns the supported encryption algorithms (RSA only at this time), the public key to be used for password/code/token encryption, and a list of 2FA modes that are supported (SMS and token only at this time).

User enters username and password

4: FX Mobile requests a CSRF token from the CSRFGuard Servlet.
5a: FX Mobile encrypts the password and requests '/authenticate/user' from the SignOn Servlet. This request is intercepted by the CSRFGuard Filter and is checked for a valid CSRF token.
5b: The CSRFGuard Filter allows the '/authenticate/user' request from the SignOn Servlet.
5c: The SignOn Servlet validates the username and the decrypted password with the Resource Access API. If the credentials are valid, then the SignOn Servlet sets a session attribute to indicate the current authentication level is ViewMode.

User requests SMS code (SMS-based 2FA authentication only)

6a: FX Mobile sends a request for '/sms/send' to the SignOn Servlet. This request is intercepted by the CSRFGuard Filter and is checked for a valid CSRF token.
6b: The CSRFGuard Filter allows an '/sms/send' request to the SignOn Servlet.
6d: The SignOn Servlet requests that the Resource Access API send an SMS.

User enters SMS code or hardware token (2FA authentication only)

7a: FX Mobile encrypts the SMS code or token and sends a request for '/authenticate/sms' or '/authenticate/token' to the SignOn Servlet. This request is intercepted by the CSRFGuard Filter and is checked for a valid CSRF token.
7b: The CSRFGuard Filter allows an '/authenticate/sms' or '/authenticate/token' request to the SignOn Servlet.
7c: The SignOn Servlet validates the decrypted SMS code or hardware token with the Resource Access API. If the credentials are valid, the SignOn Servlet sets a session attribute to indicate the current authentication level is TradeMode.

FX Mobile requests KeyMaster token

8a: FX Mobile sends a request for '/StandardKeyMaster' to the KeyMaster Servlet. This request is intercepted by the Authentication Filter. The authentication level of the user's session is checked. Only sessions with an authentication level of ViewMode or TradeMode are permitted to proceed.
8b: The Authentication Filter allows a '/StandardKeyMaster' request to the KeyMaster Servlet. The KeyMaster servlet returns a token that contains a CustomerId attribute with the value of of 'ViewMode' or 'TradeMode' depending on current authentication level read from the session attribute.

FX Mobile authenticates with Liberator (ViewMode)

9a: FX Mobile logs in to Liberator with a KeyMaster token containing a CustomerId of 'ViewMode'. Liberator routes the login request to the ViewMode Permissioning Core.
9b: The ViewMode Permissioning Core requests permissions for the user from the ViewMode Permissioning Adapter.

FX Mobile authenticates with Liberator (TradeMode)

10a: FX Mobile logs in to Liberator with a KeyMaster token containing a CustomerId of 'TradeMode'. Liberator routes the login request to the TradeMode Permissioning Core.
10b: The TradeMode Permissioning Core requests permissions for the user from the TradeMode Permissioning Adapter.


See also: