15.2. TOTP Authentication
Prev Chapter 15. Using Security Next

15.2. TOTP Authentication

15.2.1. Example: RCUser

Here we create a user and give it the necessary permissions and TOTP settings to access and use the DataHub Remote Config application.

Add the user

  1. In the DataHub Properties window, select the Security option and click the Configure button.

  2. Set the Organization to Local, and in the Users tab, under Users, click the Add button and select Add BuiltIn User.

  3. Enter a User Name of RCUser with a password Abcd1234.

    Click the OK button. The user name RCUser will appear in the Users list, as well as in the Principals list.

  4. In the TOTP (time-based one-time password) section below, click the Add TOTP Key button, and then click the Generate Random Key button.

    The system will generate a key.

  5. In the Roles list, scroll down to RemoteConfig and click its checkbox on.

  6. Click the Apply button to apply your changes. You'll now see a total of 3 roles for RCUser. The BasicConnectivity and RequireTotpAuthenticaion roles were added by default when the user was created.

    Notice that when you click the RemoteConfig role checkbox off and on, the list of Effective Permissions in the right-hand column changes. The additional permissions are the ones associated with the RemoteConfig role, showing what the user can do in the Remote Config app. Be sure to leave the checkbox on.

Configure Authenticator app

Since we specified TOTP for the RCUser, we need to configure it. This example will use Microsoft Authenticator as the TOTP app.

  1. On your mobile device, open Authenticator and tap + to add an account. Select Work or school account.

  2. Select Scan a QR code.

  3. In the DataHub Security configuration for RCUser, click the Show TOTP QR button.

  4. Point your phone’s camera at the QR code and enable it. Be sure to apply the changes.

You should now have a Cogent DataHub entry with RCUser in Windows Authenticator.

Test the results

  1. Start the Remote Config app. Enter the username RCUser and password. Then check your Authenticator app for the six-digit code, and enter that in the TOTPfield.

  2. Once you've entered both the password string and the TOTP code, press the Enter button to access the app. You can check the Event Log to verify the authentication of RCUser.

  3. To check that permissions are being enforced, start the DataPid app. You will see that it connects, but there are permission denied error messages in Event Log like this:

    Error in input: TCP: plugin-raw-message, ..... Permission denied")

  4. Click the View Data button to open the DataHub Data Browser, and you will see that the DataPid domain is either not listed or not connected.

  5. In DataPid, click the Disconnect button, enter your DataHub admin username and password, and click the Reconnect button.

    You should now see DataPid data updating in the Data Browser, and no more errors in the Event Log.

    [Note]

    We used the admin credential in this last step to keep the explanation simple. A better approach to pushing data to a DataHub instance is to create a user with specific permissions, as explained in Custom Data Permissions.

Prev Up Next
Chapter 15. Using Security Home 15.2.2. Example: WVUser