Here is a quick demo and a public sample app on how 2FA can ‘in a way’ be utilized with an AppSheet App. A possible use case may be having control of app use by users in a way that provided the device is a public or multi-person use device, you may not want to expose your data to others. There might be several cases for sure (or even this feature might completely be useless) but I just wanted to test and show how it can be done.
The app has an intial Deck View menu. When you select a menu item, the app initially checks provided you have an auth code or not. If you don’t have created one, then the app redirects you to a form so that you can generate an auth code. You can choose to send the code via SMS, Email or Push notification. When received you have 90 secs. to enter the auth code and verify so that you can reach the menu items. If you exceed the limit, then you need to regenrate a new code. After you have verified the code, this code will be active for 60 mins.
The auth codes generated have 2 TLS limits afore-mentioned above:
TLS-1 :: Auth Token Reset Limit - set to 60 mins.
TLS-2 :: Auth Code Refresh Limit - set to 90 secs.
These TLS limits can be changed from SETTINGS menu. You can download the app build documentation from HERE and you are free to copy this app from my PORTFOLIO
Awesome timing! I am working to implement exactly this into an app.
I feel like though, for the masses here, a disclaimer should be made to make it perfectly clear that 2FA IS NOT A FULLPROOF SECURITY measure. It is only an extra layer of authentication that makes it more difficult for unauthorized access.
In fact, many of the 2FA professional services provided are no more effective than this approach. In some cases, services provide encrypted communications or usage of hardware tokens but these require additional software installed or purchase of the hardware token/service. Not even feasible when you might not know or have limited contact with the end user.
2FA does help but if you need security in your app. please make sure you know what 2FA really is, how it works and its weaknesses. This article might be a good place to start:
@WillowMobileSystems
Thank you for this very valuable contribution, highly appreciated. As you have mentioned; the only bulletproof security is the one which is provided by official, proven oAuth protocols. Other features added on top of this, is just for additional layer of security. I have presented this demo app to show the community and interested users, how such a layer like 2FA can be mimiced within an AppSheet development.
Actually, I was pointing out that there are NO bulletproof approaches…only MORE secure options. Every security approach has vulnerabilities. Just need to select the one the best suites the requirement.
…and BACKUP, BACKUP, BACKUP the data. The best any of us can do is be prepared in the case of an attack to restore the system quickly.
Yes. I recommend frequently saving copies of the data and I recommend keeping those copies in a different location - i.e. not in Google or whatever platform the datasource is hosted in. If there ever is an issue of lost data, you can quickly restore it.
[How to create an automated gSheet backup within your app](https://community.appsheet.com/t/how-to-create-an-automated-gsheet-backup-within-your-app/10473) Tips & Tricks ?
Dear valuable members of the AppSheet Community, I would like to share and explain, how it’s possible to create an automatic backup feature for your app’s back-end. This post will cover the details of a “HOW-TO” and include: Google Sheet Structuring Google Drive Structuring Google Apps Scripting Google Apps Script - Installable Trigger Setting Part 1 | Google Sheet Structuring Step1: Add an extra tab to your back end and name it as you like i.e. Backup, Backup Settings etc. Step2: Struct…
UPDATE: Disregard the question below. The app is not under a Pro plan so SMS messages are not sent - even as a personal app. Makes sense. I can see how SMS could be exploited and/or abused since there isn’t really a way to validate who the phone number belongs to.
Hi! I have been testing on a copy of your 2FA app. Thank you very much for this by the way.
Sending codes to Email and as Push Notifications works beautifully. However, I do not seem to receive the SMS messages. I’ve checked the logs and there are no errors. I have reviewed the phone settings and everything seems to be fine with regards to receiving SMS. I am using an iPhone 7. I have not used SMS at all in any of my apps so I’m not that familiar with this feature.
Do you know of anything else I should check into to determine why the SMS messages are not coming through?
I have been playing with the 2FA app so I can borrow from it. I have come to realize that after inserting the generated code, the data table don’t open up so they can be viewed.
Tracking it down it seems the CREATE AUTH CODE webhook is failing with the below message. I am not completely up to date on the syntax expected. I will reimplement this with an action instead and seem if that works.
I have come to realize that after inserting the generated code, the data table don’t open up so they can be viewed.
@WillowMobileSystems
It’s by-design like that. After you insert the code and it’s saved, you will notice from the detail view that it’s been verified. Provided you haven’t inserted the code within 90 secs or your code is older than 60 mins, the form will generate an error.
Basically; as the table is filtered as per USEREMAIL(); you are editing your own initially created record, not adding a new row all the time. The table actually adds a new record if and only if you haven’t created one initially. After that is created, you’ll be editing that record behind the curtains at all times
When you REFRESH a code, that code is added to another table via webhook (where you had accomplished the same via a Form Saved Action I believe) so that the app can track the datetime stamp of the user’s lates code for the time limit assigned via SETTINGS.
I have tested my demo app and the webhook seems working fine. It’s weird that it had arisen a bad request error for you.
Please keep me posted if you discover any errors or non-working feature, so that I can find a chance to correct it in my sample app as well. Thanks for your consideration mate.
AFTER entering the supplied code via email and within the required time, the data tables never become viewable. This is because the entered codes were NOT being written into the CODES table which is required to properly authenticate the user. There is some syntax issue with the JSON code causing the webhook to fail to add the newly entered and valid code.
@WillowMobileSystems
Hi John, CODES table never become viewable because by-design and intentionally it’s not assigned to a UX View at all. The aim of that table is just to create a valid LOOKUP database to be able to calculate the timespan of the last used code for each specific user/useremail.
WillowMobileSystems:
There is some syntax issue with the JSON code causing the webhook to fail to add the newly entered and valid code.
Was that syntax issue from your side or from my side? I would like to check. Thanks.
CODES table never became viewable because by-design it’s not assigned to any UX on purpose .
Sorry, by “data tables” I meant Table A, Table B and Settings. They never become viewable after entering a valid code. Meaning when I click on one of them from the Home screen, I am always presented with the 2FA view. When that happened, I searched for root cause and found that error message provided in the previous message above.
It is odd that the webhook works for you but not me. All I’ve done is copied the app and tried it out. This isn’t anything more I need to do to make it work…right?
Regardless, I go it to work with an action and I understand enough about it which was the goal.
Thank you for putting out this sample. it was perfect timing for me.
It bothered me a little that I couldn’t get the app to work with the webhook. Admittedly, I am not familiar with webhooks in AppSheet. So I played with it a bit more.
I am wondering, after downloading the app, do I need to adjust any of the webhook settings?
See below images. I tried updating the App ID in the webhook step which resulted in the error shown. But even after enabling the AppID. the error persists
What do I need to do to make this webhook work for me?
