How It Works
GuardianKey Auth Bastion Enterprise acts as an intermediate security layer that intercepts and protects access to web systems, focusing on multi-factor authentication (MFA), integration with GovBR (OAuth2), and advanced control policies.
Its operation is based on a configurable reverse proxy, which protects sensitive routesβespecially those related to user loginβwithout impacting the rest of the original system's functionalities. Below is a detailed explanation of its internal operation.
π TOC (Table of Contents)β
- How It Works
- π TOC (Table of Contents)
- π Request Interception and Proxy Operation
- π Two-Factor Authentication Flow
- π€ Second Factor Registration and Management
- β Token Validation and Multi-Channel Support
- π Integration with OAuth2/OIDC
- π Secure Logout Support
- π Advanced Security and GuardianKey Integration
- π§ Summary Flow Diagram
π Request Interception and Proxy Operationβ
The bastion operates as a transparent reverse proxy, acting as a bridge between the client and the protected system. It does not alter the content of requests and responses, nor does it rewrite URLs, ensuring full compatibility with any web system.
Main features:β
- Protects specific URLs (e.g.,
/login,/auth) according to per-system configuration. - Allows multiple systems and domains to be integrated simultaneously, with specific rules per host/path.
- Does not interfere with other system URLs (static, APIs, dashboard, etc.).
- Supports geolocation restrictions, allowing access to be blocked or allowed based on the IP's country of origin.
π Two-Factor Authentication Flowβ
The standard MFA authentication flow works as follows:
- The user accesses the login URL of the protected system.
- The bastion intercepts the request and checks if the user has already passed the second factor verification.
- If no active validation exists, the bastion redirects the user to the second factor authentication interface.
- The second factor can be:
- TOTP token (Google Authenticator, Authy, etc.)
- Token sent by email
- Token sent by SMS
- Another configured communication method
- After token validation, the user is allowed to access the original login form of the system.
This process ensures that no request to the main system occurs without prior second factor validation, blocking automated and malicious access at the application edge.
π€ Second Factor Registration and Managementβ
The bastion maintains its own MFA user registry, independent of the protected system. Registration can occur:
- Automatically, when the user's identifier is an email (for example, captured from the request).
- Assisted, when the bastion collects the user's credentials, validates them directly in the protected system, and confirms authenticity based on the response (e.g., status, parameters, or page content).
After verification, the bastion creates the second factor registration locally, storing the data in its own database with high-level encryption.
β Token Validation and Multi-Channel Supportβ
Second factor validation is performed by the bastion itself, independently and securely.
Features:β
- Full support for TOTP RFC 6238
- Validation of tokens sent by email or SMS
- Configurable token expiration
- Option to resend the token, with time or attempt limits
- Flexibility to integrate with external notification or authentication systems
π Integration with OAuth2/OIDCβ
The solution natively and optionally supports integration with OAuth2/OpenID Connect protocol, implemented 100% at the bastion layer.
How it works:β
- The bastion offers the OAuth2/OpenID login option directly in its access interface.
- The OAuth2 flow is handled by the bastion itself, which manages redirection, authorization, and token exchange.
- After successful login, the bastion associates the GovBR user with an internal identifier, through a configurable integration agent (adaptable by language or technology of the protected system).
- The user can then be directed straight to the system or go through the second factor step, according to the defined policy.
This feature allows legacy systems to offer federated authentication without any changes to their source code.
π Secure Logout Supportβ
The bastion also intercepts logout and ensures that all sessions and authentications associated with the second factor or GovBR login are properly invalidated, preventing unwanted authentication persistence.
π Advanced Security and GuardianKey Integrationβ
GuardianKey Auth Bastion Enterprise can be integrated with other GuardianKey platform solutions to enhance adaptive security:
- GuardianKey Auth Security: analyzes the risk of the authentication attempt (geolocation, IP, behavior, etc.) and allows conditional actions based on risk score.
- GuardianKey GKTinc Enterprise: automated attack deterrence mechanism, applying a cryptographic JavaScript challenge in the client's browser to prove human interaction.
Thus, the bastion not only controls authentication but also acts as an active defense component against automated and targeted attacks.