Steven H. Blackwell

We already have this capability for the FileMaker Platform, and we have had it for a number of years. More and more installations are using Two Factor Authentication (2FA) with these hardware devices. SMS in the form of a code sent to a mobile device, especially a telephone, is inherently insecure. How does the provider of the asset know that the recipient of the code is the person the requester claims to be? SMS messages can be re-routed by hijacking the Subscriber Identity Module (SIM) of the device. Note these two articles: https://securityintelligence.com/whats-wrong-with-sms-authentication-two-ibm-experts-weigh-in-on-the-nist-recommendation/ https://www.schneier.com/blog/archives/2020/01/sim_hijacking.html Thanks for replying. Steven H. Blackwell Platinum Member Emeritus

This year 2020 will be one of Change and Challenge for the Claris FileMaker Community. It will require Commitment, Confidence, and Community Effort to see it to a successful conclusion. Herewith, in outline form, are some of the Challenges I foresee we will face: 1. We will need to develop a finer level of audit logging of Personally Identifiable Information (PII). Most logs currently focus on system level activity. A finer level of focus will assist in achieving compliance with various privacy requirements. Prompt response timelines for breaches will be an issue as well. 2. We will need to improve data level protection via encryption. The UI layer is insufficient for this purpose. But in the process of doing this, we must maintain system usability. 3. The practice of sending SMS text messages to mobile devices to achieve Two Factor Authentication (2FA) needs to end. It is inherently insecure, and there are better alternatives. 4. A better approach to 2FA is to adopt hardware tokens of various types. These can be made to work with the FileMaker Platform—indeed they already do so—using expanded oAuth Open ID Connect services. 5. We are going to need to adopt context—based authentication. Not just Who are you? and Are you who you say you are? But also, How do we know this? And from where are you seeking access, on what device, to what asset? This is not particularly easy to adopt; however, it can be done. 6. Mobile accessibility is due for a change. We are at the beginning of end of Wi-Fi. In 2020 we will begin to see adoption of what is called Citizens Broadband Radio Service (CBRS). This is not to be confused with the old CB Radio from the 1970’s. Adoption of CBRS is likely the beginning of Connectivity as a Service. 7. We will begin increasingly to see the containerization of applications and services, e.g. FileMaker Server. a. Unlike virtual machines, they don't need a full OS to be installed within the container. b. Once the container has been created, it can easily be deployed to different servers. From a software lifecycle perspective this is a great help, as containers can quickly be copied to create environments for development, testing, integration, and production. 8. We need to adopt processes that facilitate how data owners can assure they exercise due diligence on cloud-hosted data. The owner is the responsible party here. And it is the owner who likely would suffer the bulk of the onus of any breach. In order to exercise this due diligence, data owners must expect and insist on transparency from hosting and PaaS providers about security processes including who does and does not have access to and knowledge of encryption keys. This will not be a straightforward process. 9. As we experience more and more instances of Machine Learning, we will need to be aware of, and to guard against, manipulation of the Training Data that underpins this process. Such data are susceptible to attack and to manipulation that poisons the data. Even a very small amount of such alteration can affect the machine learning process. 10. The Human Element has always been at the center of effective FileMaker Platform Security. That will become even more the case in 2020 and beyond as we move to Federated Identity Management and to Digital Transformation. The culture of any organization is a governing element for its success. We will have many challenges here properly to account for and to plan for the Human Element. Steven H. Blackwell Platinum Member Emeritus

Perhaps take a look at these papers: https://fmforums.com/files/file/115-how-to-extend-oauth/ https://fmforums.com/files/file/116-addendum-oauth-extensibility/ Open Directory is likely not the best choice for authentication. But it does work. You are correct in believing that a service that supports Group structures is your best avenue. Steven H. Blackwell Platinum Member Emeritus

View File Addendum oAuth Extensibility Wim Decorte and I are pleased to release an Addendum to our recent White Paper entitled How FileMaker Developers Can Extend Authentication Options With New Additional OAuth2 Identity Providers In The FileMaker Platform. This Addendum has some additional technical details for FileMaker Platform developers and server administrators. It also has two Case Studies about where variations of these techniques are in place. Submitter Steven H. Blackwell Submitted 11/13/2019 Category White Papers FM Version  

View File How To Extend oAuth FileMaker® Server 16, introduced in April of 2017, brought with it the capability to use three oAuth2 Identity Providers to authenticate Identity Assertions made in attempts to access hosted FileMaker® Pro files. Google, Amazon, and Microsoft® Azure AD were the three Identity Providers. Since then various members of the developer community have sought ways to expand beyond those three providers to employ other Identity as a Service (IDaaS) options. Wim Decorte and I are pleased to advise that we have succeeded in an effort to expand the available Identity Provider services to additional systems. We have documented the underlying mechanism that FileMaker Server uses and have identified at least five new major IDaaS providers whose oAuth2 capabilities we can leverage to permit their use in the FileMaker Platform environment. We hope this means, among other items, that the FileMaker Platform can now be used at locations where heretofore it was disqualified due to lack of support of these Authentication options. We were aided in this endeavor to a substantial degree by assistance from Claris International, Inc. (formerly FileMaker, Inc.) working in a customer environment. This ratifies to a substantial degree the maxim postulated by well-known business author Tom Peters back in the 1970’s that “Innovation doesn’t come from the R&D Department; it comes from the customer base.” Submitter Steven H. Blackwell Submitted 10/09/2019 Category White Papers FM Version  

View File FileMaker18 Security Features The just-released new FileMaker® Pro 18 Advanced has two new security features about which developers should be aware. One of these is fairly straight-forward and extends functionality existing in earlier versions. The other is brand-new; it requires a nuanced understanding and careful consideration about its use. It allows management of certain Accounts by users who do not have [Full Access] Privileges, and thus it is a very significant change. Submitter Steven H. Blackwell Submitted 05/22/2019 Category White Papers FM Version Not Applicable  

Very good. Come back and ask more if you need to do so. That is why we are here. Steven H. Blackwell Platinum Member Emeritus, FileMaker Business Alliance

OK, first, are we talking about another FileMaker Pro file or some other type such as would be accessed via ESS? If this is a FileMaker Pro file, define a Privilege Set in it with appropriate controls. Then create an External Authenticated Account. Put users into a similarly named External Account in your file. Then place individual Accounts and passwords on the Domain Controller or in the Local Security Group area of your server. When you user logs in, the user gets rights to all files with matching group names. Steven H. Blackwell Platinum Member Emeritus, FIleMaker Business Alliance

View File SECURITY SCHEMA CHANGES IN FILEMAKER® PRO 11 AND FILEMAKER® PRO 11 ADVANCED The newly released versions of FileMaker Pro, FileMaker Pro Advanced, and FileMaker Server Advanced all have significant changes in their security features. The desktop client products have a new File Access Protection feature and new calculation functions related to Extended Privileges and Privilege Set Names. Additionally there is a change in the default Menu Commands option when developers create a new Privilege Set. FileMaker Server Advanced has some new features related to role-based administration of the FileMaker Server Advanced product; that is beyond the scope of this paper however. This paper will examine the new security features in FileMaker® Pro 11 and FileMaker® Pro 11 Advanced, with specific emphasis on the File Access Protection enhancements. Why were these changes needed? Why were they implemented? What are they? And, how do they work? Submitter Steven H. Blackwell Submitted 04/18/2019 Category White Papers FM Version 11  

Externally authenticated [Full Access] Accounts--and that is a bad idea--are not allowed to validate changes to the Security Schema. This is by design. Steven H. Blackwell Platinum Member Emeritus, FileMaker Business Alliance