Studio

NOS Security Improvements FAQ

Updated: January 6, 2020

Nuxeo Online Services will be improved in the next couple of months to enhance security. This page details what will happen, when, how you could be impacted and how to prepare for the change.

In Brief

Changes will be done in 2 steps:

Step 1 - Login Page Update and Token Enforcement

  • Login page update: URL and design will be updated and your email will be asked to authenticate instead of your username.
  • Token usage: tokens will be required instead of passwords in our command line tools and APIs.

Step 2 - Multi-Factor Authentication

Upcoming Changes

Login Page Update

Timeline

  • Anytime before Feb. 10: new login page is available to test
  • Feb. 10, 2020: new login page becomes official

Communication will be sent out by email to all of our customers prior to the change.

Impacts

When accessing Nuxeo Online Services, a different login page will be displayed, with a new design and a new URL: https://auth.nuxeo.com (instead of https://sso.nuxeo.com).

auth-nuxeo-com

okta-login-page
okta-login-page

Preparing for Change

It is recommended to check with your system administrator that the new URL is authorized for access.

A simple way to check is to click on the Sign in with Okta button available in the current page, and use it to log in with your usual credentials.

Your email address will be requested instead of your username to login into Nuxeo Online Services.

When using Okta, a security question will be asked as a way to recover your password, and optionally to set up multi-factor authentication. The multi-factor authentication will become mandatory later on.

account-setup
account-setup

Command line tools will remain compatible and no update is needed on this side.
To provide consistency and allow you to use your email address everywhere if you prefer to, we will make sure that our tools and APIs can accept either username or email address when requesting a username.

Tokens to Become Mandatory

Timeline

  • Anytime before Feb. 10: tokens can be used as the recommended option, passwords remain compatible
  • Feb. 10, 2020: tokens are enforced as a password replacement in all tools and APIs

Communication will be sent out by email to all of our customers prior to the change.

Impacts

Whenever using command line tools like:

Nuxeo Online Services will request a token instead of your password to authenticate.

It only impacts command line tools and APIs. It doesn't change the way you log into Nuxeo Online Services when using your browser, for instance when accessing Nuxeo Studio. Our tools and APIs can accept either your username or your email address when requesting a username.

Preparing for Change

Tokens work already as of today, and will keep working after the change. Although our client tools have been updated to prompt for a token instead of a password, passwords remain as a compatibility option until the change is effective.

Switching to tokens will help you to prevent any breakage after the change.

See our token management documentation for details on how to create and apply your token.

Multi-Factor Authentication

Timeline

  • Anytime before Feb. 25, 2020: multi-factor authentication can be set up manually and remains optional
  • Feb. 25, 2020: multi-factor authentication is enforced

Communication will be sent out by email to all of our customers before any change.

Impacts

When you log into Nuxeo Online Services, a second authentication factor will be requested to enhance your account security.

These factors can be one of the following:

  • Code provided by a smartphone application (most secure)
  • Voice call to a phone number
  • SMS sent to a phone number (less secure)

mfa-setup
mfa-setup

Optional during the previous steps, this second authentication factor will be enforced at this stage.

Preparing for Change

We recommend setting up the multi-factor authentication before this enforcement, so that you can get familiar with it.

FAQ

What is a Token?

A token is a randomly generated text that can be used as a replacement for your password when authenticating to our services. It is meant to be used as a replacement for your password in all places where you would need to write down your password, but would rather avoid to disclose it: for instance in configuration files.

Feel free to check our token management documentation for further details.

Do I Need a Particular Hotfix for These Changes?

No hotfix is required.
Latest hotfixes and tool versions only pack additional help to mention tokens instead of passwords when needed, starting from the following versions:

  • 8.10-HF47
  • 9.10-HF39
  • 10.10-HF19

These changes are only visual to clarify how our new authentication system works and have no functional impact.

I'm Using an Unsupported Nuxeo Server Version. Should I Be Concerned?

The same applies for formerly supported releases: no need for code change. Authentication against Nuxeo Online Services when using our command line tools and APIs will have to be done using tokens instead of passwords.

Why These Changes?

Nuxeo is partnering with Okta, an industry leader around authentication security to bring these changes. They are made as part of our continuous effort to improve security and bring several benefits:

  • Storage decoupling: Your password will be stored by our partner Okta. This ensures it benefits from even better protection.
  • Stronger authentication system: Partnering with Okta allows us to provide new features to secure your account, like multi-factor authentication.
  • Single Sign-On: Signing into Your Nuxeo Online Services account will allow you to access our different services seamlessly, without being prompted for credentials again.

We'd love to hear your thoughts!

All fields required