Technology has pushed innovation in many directions, especially in the field of security. Now HPE Alletra 6000, which was developed from the foundation of HPE Nimble Storage architecture, has achieved a significant milestone in security with our new multifactor authentication feature. This blog illustrates our thought process behind the development of this security feature as well as how to activate two-factor authentication.
The world of technical innovation has assisted in the construction of new routes to new breakthroughs in numerous 
What is multifactor authentication and how does it work?
Multi-factor authentication is an enhanced security feature that protects an online account by using anything other than a login and password. Our multi-factor authentication feature is based on a Time-Based One-Time Password (TOTP) algorithm.
Time-Based One-Time Password (TOTP) is a temporary passcode produced by an algorithm that derives its uniqueness from the current time. Time-based One-Time Password (TOTP) works by using time as moving factor meaning passwords expire within certain time frame in seconds. TOTP is distinct in that it is an extension of the HMAC-based one-time password method (HOTP), which has been approved as an Internet Engineering Task Force (IETF) standard RFC 6238.
The HMAC-based One-time Password Algorithm (HOTP) is an event-based One-Time Password (OTP) with a counter as the moving factor in each code, whereas TOTP is a time-based One-Time Password (OTP). Since HOTP is an event-based OTP, if it gets into the wrong hands, the person may write down the OTP and use it whenever they want, unlike TOTP, which has an expiration date. Consequently, unlike TOTP, the OTP has no time restriction until it is actively requested and confirmed by the authentication server, HOTP is more vulnerable to brute-force assaults.
Here is a diagram of step on how TOTP works.
Our multifactor authentication (MFA) technology, together with any authenticator app of your choice, such as Google authenticator, may now increase the security of your account. This gives you more control over your account since it makes it more difficult for an attacker to authenticate and begin an attack on the array. This satisfies your organization's regulatory need for a security verification method. Here's a diagram showing multi-factor authentication versus not having multi-factor authentication.
Benefits of using MFA
The administrator role controls multi-factor authentication, which means that the administrator can lock a user's settings or give the user the authority to enable or disable TOTP authentication. You also don't need an active internet connection on your phone to use the TOTP technique. Utilizing TOTP authentication for MFA offers these advantages:
- Help IT staff save time when users forget their passwords or need to reset lost or stolen OTPs.
- Simplify developing and integrating user identity verification
- Reduce password fatigue by generating OTPs automatically for users who have difficulty remembering passwords.
- Make access to arrays more difficult for hackers because OTPs are difficult to guess at random
- Prevents the use of compromised credentials from being successful.
What is the MFA feature on HPE Alletra 6000?
MFA users
On the HPE Alletra 6000, the MFA feature first includes the ability given to administers to be able to create MFA users. The administer will go under administration and select security as shown below to create an MFA user. There will be a checkbox in the bottom that says 2-factor authentication to check to be able to create the MFA user.
The MFA feature consist not only creating MFA users but being able to enable MFA on data collections and snapshots which we will touch much farther in our blog. MFA users are different from our regular users in how they login into the HPE Nimble Storage account. When logging in as an MFA user for the first time, there will be a pop up with directions on downloading an authenticator app of your choice as shown below. Then using the authenticator app on your mobile device, scan the barcode that is generated for you in the pop up. Note: this portion on setting up the authenticator will be done once expect if MFA user is reset. However, the verification code from the authenticator will still be asked in future login ins.
After clicking next, you will the following screen and will use the authenticator app to insert the code given through the app. Keep in mind the code changes every so second if not enter immediately. Note: A usage warning will be promoted next after entering the code to indicate that this is a private system and only for authorized use.
Enable MFA on volume collections
Now let’s go on how to enable MFA on volume collections. Once login into our HPE Nimble Storage Console we will under manage and click on data protection to create a volume collection with MFA enabled. When creating the volume collection, you will see a check box called Protected: 2FA under schedules which enables MFA on Volume Collection.
After creating the volume collection (vocol-1) with MFA enabled. You will see Protected: 2FA column saying yes, we have enabled MFA on the volume collection.
Associating volume collection
Now, the volume collection with enabled MFA can be associated to a new or existing volume. In this example below we will go to manage and click on data storage to create our volume. Here we are associating our volume collection (vocol-1) with MFA enabled under data protection. This means that our created volume inherits the MFA feature due to the MFA being enabled under volume collection.
Deleting a volume collection associated with a volume
In this scenario we are trying to delete our volume collection (vocol-1) we previously associated with a volume. We will go back to manage and click on data protection to remove our volume collection clicking on the X.
There will be a warning pop up saying, “Are you sure you want to remove this volume collection?” and will prompt another pop up to get the verification code from the authenticator app that was previously used when first logging in as an MFA user. Note: The verification code will expire in seconds before generating a new code.
In this scenario, we see this pop-up saying we are not able to delete the volume collection due to our association with our previously made volume.
To dissociate our volume collection, we will go to our volume collection and under actions, click edit volume collections till seeing a screen like the picture on the left. Here we will dissociate our volume collection vol-1 from our volume by placing the collection to the available side. By doing this, we will get promoted once again to get the authenticator app to get a generated code to be able to dissociate our volume collection from our volume.
Now we can go back to the volume collection to delete it. During the deletion process, once again a verification code from the authenticator app will be asked to be able to delete the volume collection. Here we can see our volume collection was successfully deleted after entering the code. Note: Verification code (TOTP) will only be asked if 15 mins (default setting) has passed by.
Deleting a snapshot
In this scenario we are deleting a snapshot under volume collection as shown below in the picture.
You will get warning pop up saying, “Are you sure you want to delete the snapshot collection …?” and get a pop up to get the generated code from the authenticator app to be able to delete the snapshot. Note: Verification code (TOTP) will only be asked if 15 mins (default setting) has passed by.
Here we can see that the snapshot was successfully deleted after the generated code was submitted. Note: We can delete snapshots in batches with our MFA feature.
Reset the MFA user
In this scenario we are resetting our MFA feature on an MFA user as mentioned in the beginning. We would go back to where we created our MFA user and under more actions click on reset 2FA. Then we will see a pop up to verify that we are sure of resetting.
We will log out and login in again as an MFA user. We see again that we must set up the authenticator again as it has been reset. Note: We are still able to do pervious MFA functions such as deleting snapshots that have MFA enabled from pervious volume collection we created.
Deleting enabled MFA Snapshot as regular user
In this scenario we are deleting an enabled MFA snapshot as a regular user instead of an MFA user. As shown in the image below, since we are not an MFA user. we are not able to delete the enabled MFA snapshot. Note: Only MFA users can do actions towards items that have MFA enabled.
Making Administer an MFA user
We can enable MFA at administer level however if mobile device is lost, stolen, or damaged then we are logged out of the account. If this is where to happen, we would need to call support to reset the MFA. Also, if we were to upgrade our phone, we are to set up MFA once again to discard previously registered mobile device.
Deletion of all MFA users
If someone were to go into the administer account and delete all MFA users, the MFA enablement will still be intact in any item that has placed MFA such as snapshots and volume collections.
Our new MFA feature for HPE Alletra is a game changer. To learn more, please watch these demos where we walk you through the MFA feature. Till next time!
Creating A Multifactor Authenticated User with OS 6.1
Creating A Volume Collection Protected by Multifactor Authentication with OS 6.1
Deleting A Volume Collection Protected by Multifactor Authentication with OS 6.1
Deleting Multifactor Authenticated Volume Snapshots with OS 6.1
Meet Around the Storage Block blogger Jasmin Alvarez
Jasmin is a data onfrastructure technical marketing engineer at HPE.
Storage Experts
Hewlett Packard Enterprise
twitter.com/HPE_Storage
linkedin.com/showcase/hpestorage/
hpe.com/storage
StorageExperts
Our team of Hewlett Packard Enterprise storage experts helps you to dive deep into relevant infrastructure topics.
