INSART was asked to create an easy-to-use, technologically advanced, and affordable security solution. This project involved the following challenges:
- Set up a development team;
- Develop the platform from scratch to production;
- Integration with initial clients.
Set up a development team
Business value: A software development team must not only comprise good technical specialists, but be aware of potential threats within the FinTech industry and practices in order to ensure FinTech applications’ confidentiality, integrity, and availability.
Result: A dedicated team was created by INSART to implement the project. The team included the following specialists:
- Project manager;
- Business analyst;
- Three Java developers;
- QA specialist.
Develop the platform from scratch to production
Business value: While existing solutions had a number of shortcomings, the platform was expected to remedy them. The platform was conceived to support all standard authentication algorithms (HOTP, TOTP, OCRA), have secure protection (Initiative for Open Authentication [OATH]), and be able to integrate with different resources involving sensitive data, such as payment systems.
Details: To ensure reliable and uninterrupted operation, the system is deployed in a cluster of high-performance servers. The hardware load balancer is responsible for distributing and balancing the workload between servers. The monitoring system continuously monitors the state of the infrastructure and notifies Protectimus administrators of possible threats and emergencies. The hardware security module ensures secure storage of cryptographic information.
Protectimus’ solutions are available in two forms:
- A cloud service via an SAAS-based solution that enables two-factor authentication quickly and with minimum effort;
- A platform intended for installation in the client’s environment. The platform includes additional tools for gathering and displaying statistics and managing users, along with many other useful features, though it requires more work on the client’s part.
The solution has the following components:
- Software (a cloud service or a platform) that verifies one-time passwords (OTPs).
- Tokens that generate OTPs. Tokens may be separate devices, mobile applications, or password delivery services (via SMS or email).
The platform has the following functionality:
- The authentication server management interface dashboard shows all statistics for the current client.
- Each registered client can complete the following actions:
- Manage users: create, edit, or remove existing users; assign tokens.
- Manage tokens: create, edit, enable/disable, or remove tokens.
- Manage resources: create, edit, enable/disable, remove, and assign tokens and users.
- Create geo and time filters.
- Manage administrators: create, assign rights, remove. The administrator can manage users, tokens, and filters, but cannot delete these aspects if they were not created by the administrator. In addition, the administrator cannot change a service plan, deposit funds into the account, or view payment statistics.
- Edit OTP message templates.
- Customize the service plan.
- Deposit into the account.
- Configure the list of notifications that should be received to inform about events in the system.
- By installing the on-premise software, Protectimus can be integrated with the client’s Web systems and applications. The following integration methods are possible:
- Integration through the API using a set of auxiliary libraries for the programming languages Java, Python, and PHP.
- Integration using the iframe widget for user authentication.
- Protectimus supports several user authentication methods:
- User authentication with a static password.
- User authentication with an OTP.
- User authentication with a static password and an OTP.
- Token authentication on a resource.
The following algorithms are used to generate OTPs:
- HMAC—hash-based message authentication code: RFC 2104
- HOTP—hash-based OTP: RFC 4226
- TOTP—time-based OTP: RFC 6238
- OCRA—OATH challenge-response algorithms: RFC 6287
Protectimus stores 10 backups: one for each day of the week, as well as backups that are two weeks, one month, and three months old. This enables rolling back in time in the event of any data loss. Each backup is stored on a separate server.
To improve performance, optimization is used at various levels:
- On the server side: caching (Memcached), static content processing optimization (Nginx), application server setting optimization, load balancing, etc.
- On the database: database setting optimization, use of indexes, partitioning.
Processes: Agile and Scrum methodologies were used for development. In the process of software development, the following were used:
- Standard mechanisms and libraries
- Java Programming Style Guidelines (Java™ Coding Style Guide)
- DRY (Don’t Repeat Yourself) and DIE (Duplication Is Evil) principles
- Test-Driven Development (TDD)
Result: INSART developed the Protectimus platform over three years. The platform provides security for Web systems and applications by means of two-factor authentication. Following the first release, the platform has already been working for almost two years.
The platform supports a wide range of OS (from Linux and FreeBSD to any version of Windows), and current and older versions of popular browsers (Google Chrome, Mozilla Firefox, Internet Explorer). All of the system’s components support the existing software development standards, as well as the OATH standards for ОТР authentication, which makes it possible to use third-party manufacturers’ or competitors’ tokens in Protectimus.
Protectimus is OATH certified and became one of the OATH’s coordinating members.
Integrate with initial clients
Business value: INSART facilitated integration with initial clients’ systems to ensure the correct work of the platform and formalize steps on integration to enable the client to complete further integrations themselves.
Details: To integrate Protectimus into third-party systems, one of the following two methods may be used:
- Integration using the API. In this case, a set of auxiliary libraries (Java, Python, PHP) is provided. Detailed descriptions of all the API methods are also accessible on the platform site.
- Integration using the iframe widget for user authentication.
Protectimus supports different types of tokens to generate OTPs, including:
- Hardware tokens intended specifically for generating OTPs.
- Software token, Protectimus Smart, which is an application used to generate ОТРs.
- SMS and email tokens.
Result: The Protectimus solution is widely used by a number of banks (such as Eurobank, Poltava Bank, etc.) and developers of banking software (Lime Systems, NOKK, etc.) Among the major platform customers are the AdvCash payment system and the Canadian bitcoin exchange platform Taurus. Protectimus has become a partner of Citrix Ready Marketplace.
For the project, the following technologies were used:
- Programming language: Java 7
- Web/App Server Tomcat 7.0
- Framework: Spring 3.1.0, Apache Tapestry 5.3.7
- GUI: Twitter Bootstrap, jQuery
- ORM: Spring JDBC
- Database: PostgreSQL 9.3
- Building: Maven 3
- High-performance, distributed memory object caching system Memcached
- Application Load Balancing and Content Caching: Nginx
The following overall solution architecture was implemented: