At CoverMyMeds, we’re responsible for Personally Identifiable Information (PII) and Protected Health Information (PHI) and take our responsibility to protect it very seriously. A multi-factor authentication (MFA) solution had been in place for a long time, but relied on SMS, which some users found very unreliable and to be frank was difficult to maintain. With that solution, we had some challenges that included:
- Email-to-SMS gateways that we don’t control going down
- Users changing cellular providers
- SMS delay
- Usability complaints
Finally, we decided it was time to move to a more robust solution. After looking at the MFA landscape, we felt a Google Authenticator based solution would be best. We choose this solution because simple but works, uses an open standard, and is open source. Most importantly, it didn’t require cellular access to a limited set of U.S. based cellular providers.
Our initial prototype leveraged pam-google-authenticator. Tests proved the concept worked well using RADIUS, but the end-user experience was a little rough. The PAM module comes with a helper script that we liked for setting up gauth including a QR code. However, the requirement to login to the RADIUS server, running this script, and answering technical questions was onerous. Additionally, we would have been required to provide shell accounts on a RADIUS host to a large number of users across the company. While we were confident our test group was comfortable doing so, there could be members in the larger user group that would be uncomfortable logging into a Linux host. We liked our prototype from a technical perspective but we decided the user experience needed to be better.
This is where things got a bit more complicated. From a host perspective the options were either bare bones, such as the PAM solution, or incredibly complicated, such as RedHat IDM. We did not want to deploy an entire identity management stack just to enable a better experience for MFA. There were also the costs associated with a number of these solutions. We were however able to find some pure web based solutions for MFA, so it was time to roll up our sleeves and write some code.
After a few iterations we had a solution in the form of CoverMyMeds MFA. This standard Rails app provides a user friendly Web UI to provision and manage the TOTP tokens used by Google Authenticator, as well as a RESTful interface to authenticate against. It utilizes a few extra fields in Active Directory, which gives us the resiliency and redundancy we did not have using the standard PAM module. The MFA Github page has full instructions on how to set up and configure the application, as well as some example configurations for integrating with FreeRADIUS. We hope you like it as much as we do and welcome pull requests!