Studio

NOS Security Improvements FAQ

Updated: March 31, 2020

Nuxeo Online Services is being improved to enhance security. This page details what will happen, when, how you could be impacted and how to prepare for the change.

Authenticating Against Nuxeo Online Services

The following changes apply starting from March 2nd, 2020.

From your Browser - What Changes?

  • To access Nuxeo Online Services, you need to enter your email address instead of your username in the login page. If you registered for a trial using Google, use the login with Google button.

login-as-customer
login-as-customer

auth-nuxeo-com

  • Multi factor authentication can be setup to secure your account. It remains optional, and will be enforced at a later stage. The multi-factor authentication section in this page provides further details.

From the Command Line - What Changes?

To use our APIs, for instance in the following cases:

When authenticating, you need to provide your username (unchanged), and a token instead of a password (new). Refer to our token management documentation for further details.

Upcoming Changes

Multi-Factor Authentication

Timeline

Info
MFA go live has been pushed back due to customers requests for additional preparation time. Updated timeline is available below.

Before March 31

No MFA setup is requested.

Nothing changes at this stage.

Between March 31 and April 14, 2020

Multi-factor authentication starts being requested, but not in effect yet.

During this transition period, setting up the MFA will be necessary to finish authenticating. It will not be requested yet when logging in.

Starting From April 14, 2020

Multi-factor authentication comes into effect and is needed to authenticate.

If you have not set up your MFA yet, you will be able to set it up while logging in. This second factor will be requested once a week to authenticate.

Impacts

When you log into Nuxeo Online Services using the browser, a second authentication factor will be requested to enhance your account security.

These factors can be one of the following:

  • Code provided by a smartphone application (most secure)
  • Voice call to a phone number
  • SMS sent to a phone number (less secure)

mfa-setup
mfa-setup

This factor needs to be set up starting from March 31, but won't come into effect before April 14.

Info
MFA is used only in the browser. It is not needed when using command line tools to automate tasks.

Multi-Factor Authentication FAQ

Who is Impacted by the Change?

This change only applies to people using Nuxeo Studio and Nuxeo Marketplace (called developers from here on). It won't have any effect on people working every day in your Nuxeo Server instance, even if this instance is hosted in Nuxeo Cloud.

Can you Provide a Summary of the Change?

When authenticating into Nuxeo Studio or Nuxeo Marketplace, developers will be requested to set up a second authentication factor using their phone starting from March 31.

This second factor will be saved for later use, but won't be requested until April 14.

Starting from April 14, the second factor will be requested if it was not saved yet, then will be asked once a week during authentication.

I see an Error 403 When Trying to Setup MFA

MFA can only be set up when this option becomes active for everyone, currently scheduled on March 31. Until then, any attempt will result in an error 403, as our service provider does not provide an option to allow opt-in.

General FAQ

What is a Token?

A token is a randomly generated string that can be used as a replacement for your password when authenticating to our services. It is meant to be used as a replacement for your password in all places where you would need to write down your password, but would rather avoid to disclose it: for instance in configuration files.

Feel free to check our token management documentation for further details.

Do I Need a Particular Hotfix for These Changes?

No hotfix is required.
Latest hotfixes and tool versions only pack additional help to mention tokens instead of passwords when needed, starting from the following versions:

  • 8.10-HF47
  • 9.10-HF39
  • 10.10-HF19

These changes are only visual to clarify how our new authentication system works and have no functional impact.

I'm Using an Unsupported Nuxeo Server Version. Should I Be Concerned?

The same applies for formerly supported releases: no need for code change. Authentication against Nuxeo Online Services when using our command line tools and APIs will have to be done using tokens instead of passwords.

Why Make These Changes?

Nuxeo is partnering with Okta, an industry leader around authentication security to bring these changes. They are made as part of our continuous effort to improve security and bring several benefits:

  • Storage decoupling: Your password will be stored by our partner Okta. This ensures it benefits from even better protection.
  • Stronger authentication system: Partnering with Okta allows us to provide new features to secure your account, like multi-factor authentication.
  • Single Sign-On: Signing into Your Nuxeo Online Services account will allow you to access our different services seamlessly, without being prompted for credentials again.

We'd love to hear your thoughts!

All fields required