Multi-factor authentication

Most P4 servers are behind a secure firewall and require user passwords.

MFA in general

Multi-factor authentication (MFA) adds an additional layer of security in case a user password is compromised. MFAis a method of confirming a user's claimed identity. A user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism, such as:

  • knowledge (something they and only they know)
  • possession (something they and only they have)
  • inheritance (something they and only they are)

MFA with P4 Authentication Service

If you are using the P4 AS (HAS) and you want multi-factor authentication, use the MFA solution that your IdP provides. For information about HAS, see P4 Authentication Service Documentation.

The only use case for installing the Helix MFA app with the P4 Authentication Service is to use a MFA service that is separate from your IdP.

MFA trigger support

Not all products interfacing with the P4 AS support MFA triggers. Check the relevant product guides to see if and how they support MFA triggers.

Helix MFA app

Helix MFA app:

  • should only be used when your password store and your MFA service are separated, such as using LDAP as your password store with Okta as your MFA service.

  • supports the most common factors:
    • One Time Password (OTP) codes
    • Third party or external prompts, such as a mobile app authentication

For an example of how the P4 Server can support MFA in conjunction with a cloud-based identity provider, see:

  • the Perforce Okta MFA trigger in the Swarm Workshop at okta-mfa.rb

  • Triggering for multi-factor authentication (MFA), which:
    • explains the three types of triggers necessary for Helix MFA (auth-pre-2fa, auth-init-2fa, and auth-check-2fa)
    • shows an example of an auth-check-2fa trigger that Perforce has validated with Okta. To find out more about Okta and the factors it supports, contact your Okta administrator or see https://support.okta.com/help
    • includes comments intended to make this example a starting point for working with the API of other services that support MFA