Documentation Index

Fetch the complete documentation index at: https://docs.lobstersoftware.com/llms.txt

Use this file to discover all available pages before exploring further.

Enable two-factor authentication via auth.xml

Prev Next

This guide describes how to configure time-based two-factor authentication (TOTP) for users of the Lobster Data PlatformBy the end, you will have enabled a TOTP handler in the server configuration, registered an authenticator device for a user, and verified the login process with 2FA. The method described here does not require event handling and is therefore quick to set up.

Upon completion, you will have:

  • Enabled a TOTP handler in auth.xml.

  • Registered an authenticator device for a user.

  • Successfully verified a 2FA login.

Would you like to implement 2FA using event handlers? See also: Two-factor authentication (Concept).

NOTE

This simpler activation method is available starting with version 25.0.5 of the Lobster Data Platform.

Requirements (2FA)

  • Access to the Lobster server's file system (via SSH or directly).

  • Administrator access to the Lobster Data Platform with the super user role.

  • A TOTP authenticator app on a mobile device (e.g., Google Authenticator).

  • Lobster Data Platform version 25.0.5 or later.

Register a TOTP handler

The 2FA configuration is currently set up in the XML file $HUB_HOME/etc/auth.xml.

  1. Open the file in a text editor:

    nano $HUB_HOME/etc/auth.xml

     CAUTION 

    In older versions, the template provided in the auth.xml file should first be discarded.

    • It contains invalid //comments. In XML, the use of such syntax is not permitted and results in runtime errors.

    • The label passwordLength is misleading. This actually refers to the length of the token, not the password.

    Therefore, do not use the default template as a template; instead, copy and use the call shown below.

  2. Insert the following block:

      <Call name="addTFAHandler">
        <Arg>com.ebd.hub.services.auth.tfa.otpauth.TOTPHandler</Arg>
        <Call name="addDeviceTemplate">
          <Arg>YourHandlerName</Arg> <!-- TOTP handler name -->
          <Arg>10</Arg> <!-- max login attempts -->
          <Arg>30</Arg> <!-- token interval in seconds (default is 30) -->
          <Arg>6</Arg> <!-- token length (should be 6) -->
          <Arg>HmacSHA512</Arg> <!-- token hash algorithm -->
        </Call>
      </Call>
  3. Save the file.

Meaning of the parameters (in this order):

  • YourHandlerName: A name of your choice for the TOTP handler. It appears in the interface as the label for the registration button. Choose a meaningful name for your installation.

  • 10: Maximum number of login attempts.

  • 30: Token interval in seconds. The default value is 30.

  • 6: Token length. Must be 6. TOTP tokens are six digits long in all common apps.

  • HmacSHA512: Hash algorithm for token generation. Recommended for current installations.

Restart the Lobster service

For the changes to take effect, the Lobster service must be restarted.

  1. Restart the Lobster service, for example:

    systemctl restart lobster


    NOTE  Starting with Release 26.2, exclusively via the Lobster Application Wrapper.

  2. Wait until the service has fully started.

Register an authenticator device for an individual user

After restarting, a new button will appear in the user menu.

  1. Click your username in the upper-right corner. Select Two-Factor > Register [YourHandlerName].

    User interface showing registration and two-factor authentication options in a system.

The Register device dialog box will open. It contains:

  • A QR code

  • The corresponding shared key

  • The app URL

Device registration interface displaying a QR code and required fields for input.

  1. Open the authenticator app on your mobile device.

  2. Select Add account > Scan a QR code.

  3. Scan the QR code.

    Alternatively, you can enter the shared key manually in the app.

  4. The app now displays a six-digit code.

  5. Enter it in the required field code*.

  6. Click Register.

Once registration is complete, the button will change to Deregister [YourHandlerName]. This means the device is now properly linked.

Login: 2FA verification

  1. Click Logout to sign out.

  2. Please log in again using your regular username and password.

    After entering your password, the 2FA Verification screen appears with the message "Please enter your code".

  3. Open the authenticator app.

  4. Enter the current six-digit code.

  5. Enter the code in the input field.

    Login screen for two-factor authentication with code entry prompt and login button.

  6. Click Log in to confirm.

Once you've entered the information successfully, you'll be logged in and 2FA will be enabled for your account.

Register 2FA for other users (as an administrator)

Starting with version 25.05 of Lobster Data Platform administrators can register 2FA devices directly from the user overview.

  1. Click Administration > Accounts > Users.

  2. Select the relevant user from the list.

  3. Click Register [YourHandlerName] in the toolbar.

    User interface showing options to register, save, delete, and manage items.

    The same QR code dialog opens as in the section Register an authenticator device for an individual user.

  4. Provide the user with the QR code or the shared key.

    The user scans the code with their authenticator app and gives you the six-digit code.

  5. Enter the code in the code* field.

  6. Click Register.

Deregister authenticator device

As a user:

  1. Click your username in the top-right corner. Select Two-Factor > Deregister [YourHandlerName].

    User interface showing options for deregistering and two-factor authentication settings.

As an administrator:

  1. Click Administration > Accounts > Users.

  2. Select the relevant user from the list.

  3. Click Deregister [YourHandlerName] in the toolbar.

After deregistration, 2FA verification is disabled for the user. The user can still register again for 2FA.

Known limitations

Microsoft Authenticator

NOTE

Microsoft's Authenticator app only supports SHA-1. In this case, set HmacSHA1 as the hash algorithm. For all other common authenticator apps, we recommend HmacSHA256 or HmacSHA512.

Two options:

  • Use HmacSHA1 in the configuration.

  • Recommend that affected users use a different authenticator app (e.g., Google Authenticator).

Configuration via XML file only

This type of configuration is currently only possible via auth.xml. A service restart is required. UI-based configuration is planned for the near future.

User self-deregistration

Users can deregister their own 2FA handler in the profile menu.

Currently, the only way to prevent this is by configuring event handlers accordingly.