FMAuthenticator: An Enhancement to FileMaker's Native Security Model
My friend Hal Gumbert reached out to me today about FMAuthenticator, the two-factor authentication solution that I released last year for the FileMaker platform. He pointed me to a recent blog post about "ersatz log-on systems" by noted FileMaker security expert Steven H. Blackwell, and wondered if FMAuthenticator was vulnerable in the ways that Mr. Blackwell describes in his post.
How FMAuthenticator Works
FMAuthenticator wasn't designed to bypass FileMaker's native security model, but instead to enhance it. After logging in, the user is challenged for a second form of authentication. FMAuthenticator sends a code to a mobile device and/or email address that has been associated with the user's account. In order for the user to fully enter the database, they need to provide the code that has been sent. There is no way for the user to proceed without it.
So while the user is officially logged into the database, it isn't until after they've successfully completed the second authentication step that they can actually do anything. (I like to think of it as if the user were entering the database through the software equivalent of a mantrap.)
Reviewed by FileMaker Engineers
Before releasing FMAuthenticator, I had two engineers at FileMaker Inc review it. I was concerned that a malicious user could somehow bypass the 2FA process by opening the database without FMAuthenticator's script firing. They reviewed the solution, and assured me that there was no way to bypass FMAuthenticator.
If you are interested in enhancing the security of your FileMaker solutions, then I encourage you to take a look at FMAuthenticator. It's a free, open-source solution, and you can learn more about it here: http://fmauthenticator.com
Thoughts On Ersatz Log-On Systems
On a related note, I too have seen some of the "ersatz log-on systems" that Mr. Blackwell is referring to. Some are well thought out, while others are an absolute nightmare.
Regardless, it's important to note that in some cases these systems haven't been developed because of a lack of knowledge or understanding on the developer's part. Instead, some have been developed out of necessity, and sometimes out of desperation. For example, I've seen solutions that were developed to help manage accounts used in multi-database solutions.
Perhaps the proliferation of these solutions is an indication that the platform simply doesn't provide some functionality that developers truly need.