Helix MFA Authenticator
April 26, 2018

How to Use MFA to Keep Source Code and Digital Assets Safe

Version Control

What is MFA?

MFA, or multi-factor authentication, is the easiest and most popular way to secure enterprise users and their data. 81 percent of data breaches involve weak or stolen credentials. And MFA can prevent that.

Large companies use MFA to gate access to mission-critical systems that contain financial and customer information. Smaller businesses have also adopted MFA, often for email, because it helps to keep phishers out.

Once it’s implemented, MFA ensures that the users who are accessing your system are who they say they are. It provides more assurance than a simple password.

With MFA, users get access only after providing additional factors. Those factors can include:

  • Answering a security question
  • Using an additional one-time password
  • Using a physical token
  • Accessing an iOS or Android app

Why Do We Need MFA on a Version Control System?

Version control systems store some of the most valuable assets companies possess – their intellectual property. Even so, we are not aware of any other VCS developer besides Perforce that provides support for MFA. We are excited to be leading the market with this exciting and important security enhancement.

Some VCS developers have 2FA (two-factor authentication) in their web interfaces, but not on the command line. As a result, your IP is exposed. We don’t know of any Git server, for example, that has MFA support. This means that with only a username and password, someone could pull down an entire repo from the command line.

Perforce already limits access to files stored in the Helix VCS – either via a client application, command line, or Swarm using a web browser. This means that only users with permission can view and act on the files stored.

How Do I Implement MFA in My Helix Core Environment?

Support for MFA is built into Helix Core (P4D), starting with the 2018.1 release. Once you’ve implemented MFA on your server, it provides an additional security layer. Helix MFA currently works with Okta out-of-the-box, and it’s configurable with other providers.

Perforce provides you with a trigger for your server, which requires simple editing to configure your Okta account and to establish the details of the factors you wish to use.

Helix MFA in Action

When users try to access the server from the command line, visual clients, or plugins, they’re required to provide the additional authentication factors that their administrator chose.

MFA is supported by all Helix Core client software, including:

  • Command-Line Client (P4) 2017.2
  • Helix Visual Client (P4V) 2018.2
  • Helix Plugin for Windows Explorer (P4EXP) 2018.2
  • Helix Plugin for Visual Studio (P4VS) 2018.2
  • Helix Plugin for Eclipse (P4Eclipse) 2018.2
  • Helix Swarm 2018.1

The visual client support is provided via an interface called Helix MFA Authenticator, which is bundled into the download for P4V as of 2018.2.

You can use MFA from the command line on Linux, Windows, or Macintosh. Here’s an example from the Command Prompt on Windows 10:

View of the Command Prompt on Windows 10

In this example, a user named Hercule has entered his normal Perforce password, after typing in the p4 command “p4 login”. Then, after the success of that password, he is asked to choose from a list of possible second factors that will be required before he can access the assets stored in the server. Once he completes that challenge, he will be granted access and can proceed with his work.

You can also use MFA with the Helix Visual Client (P4V). Just like on the command line, after user Hercule enters his normal password at P4V login (or via a prompt if the session has timed out), the Helix MFA window pops up. Hercule sees a list of the factors the administrator has chosen. Once he performs the action required, he is securely logged in and can begin to work with the assets on the server.

View of logging in after expired session

The example above shows Hercule logging back in after his session expired. P4V looks like it always does when this happens, with most activities greyed out. When Hercule tries to do anything, he’s prompted for his password. Then he sees the MFA dialog box and begins the additional steps required to authenticate.

We hope you are as excited about Helix MFA as we are. Contact your Account Representative for more information!