FMAuthenticator: An Effective Way to Enhance the Security of FileMaker-Based Solutions
This past week, concerns arose about the effectiveness of FMAuthenticator, an open source, two-factor authentication technique for the FileMaker platform that I released earlier in the month.
The concern seems to be that in order for FMAuthenticator to work, a user must first log into the FileMaker database. The claim is that at that point the user has already been authenticated, and therefore the second authentication challenge (that FMAuthenticator issues) is irrelevant.
Using FMAuthenticator to restrict access to a FileMaker database is somewhat like using a mantrap to restrict access to a building. With a mantrap, visitors have to pass through two locked doors, providing two factors of identification in order to gain entrance. After unlocking the first door, they are confronted by the second locked door. At that point, they are physically inside of the building, but until they unlock and pass through that second door, they cannot access anything inside of it.
FMAuthenticator works much the same way. In its case, users log into the database by authenticating with their FileMaker account. They are then presented with a dialog box that prompts them for the randomly generated code that has been sent to their mobile phone. Until they provide that code, they are logged into the database, but cannot access anything inside of it.
So, is FMAuthenticator effective? Does it really enhance the security of a FileMaker database? I think it does.
I'd love to hear your thoughts on this. Feel free to download FMAuthenticator, give it a try, and let me know what you think.