Two Factor Authentication

(Version 7+)

Two Factor Authentication is an extra layer of security in addition to your password.

Supported Providers

Each type of provider has special configuration requirements. Here is a list of Supported Providers with Configuration guides:

  • DUO Mobile *
  • Microsoft Authenticator *

    * OTP applications can all use the Google Authenticator Provider workflow

   ** Currently uses the RADIUS Provider workflow

Enabling Two Factor Authentication

  • Warning: Setting Two Factor Required will prevent users subject to this Policy from logging in unless their 
    accounts can be self-enrolled or they have been individually configured to use at least one TFA provider
    (eg. Google Authenticator).

  • If users have already been locked out see here.

Two Factor Authentication (2FA or TFA) can be enabled for your users using these steps:

  1. Open an existing Policy  (Note: the 2FA Providers will display once the Policy has been created)
  2. Configure a 2FA Provider, from the list below
  3. Enroll Users by:
    • Bulk Change: sets up all users with self-enrollment
    • User-By-User: sets up a single user from the User's Details page

Two Factor Policy Configuration

2FA configuration details are found on the Policy, in the Two Factor Policy section.

Status
  • Required: By setting the Two Factor as Required, Two Factor Authentication will be mandatory for all policy users. If the user has no Providers configured then they will not be able to log in.
    • It is recommended that Required is only used for policies where two factor configuration is entirely managed by the administrators.
    • Alternatively it may be turned on after users have been given sufficient notice and opportunity to configure and enable their two factor authentication.
  • Enabled: Configuring at least one Two Factor Provider will allow users with the policy to use two factor authentication during sign in.
    • If multiple providers are enabled then users may have an option regarding which two factor provider to use (depending on the user's configuration).
    • Each user must have at least one two factor provider configured and enabled for the two factor authentication step to appear for them.
  • Disabled: When none of the Two Factor configurations are enabled, the 2FA step is removed from the sign in process. Even if users previously had Two Factor configured and enabled for themselves.
Browser Remember Flag
  • Enabling this will allow users to set a flag that bypasses the Two Factor requirement for their current browser.
    • Users will see a Remember this browser? check box, on first use of Two Factor Authentication.
    • Setting this value will disable the 2FA requirement, for this user using this same browser
    • 2FA authentication (if enabled) will still be required if they sign in from a new browser
  • Disabling this prevents this option from being available to users, forcing 2FA on every sign in.

Users should only check this option when signing in from secure browsers.

Two Factor Providers

Note: The list of Two Factor Providers are displayed once the policy is created.

The following options are common to all two factor provider configurations.

Enabled

Each available Two Factor Authentication provider can be enabled or disabled on a per-policy basis. Some Two Factor Providers are easy for the user to configure and enable, making them good choices to enable for optional protection. Other Two Factor Providers must be configured and managed by an administrator. See the descriptions of each Provider to help you select which ones are right for your security needs.

User Can Disable Provider

In a policy where 2FA is optional, this option should be enabled. This will allow the user to enable or disable their preferred Two Factor Provider(s) on their account management page. For policies requiring mandatory (and often administration configured) 2FA, unchecking this option will prevent the user from disabling the Two Factor Provider.

Google Authenticator

Generates a new security code every 30 seconds. Uses the Google Authenticator app available for Apple and Android.

  • Once enabled in the policy, Google Authenticator can be enabled by the user and will display the QR code used to configure the Google Authenticator app.

See also: Setting Up Google Authenticator & User Enrollment

Service Name: This name appears in the Google Authenticator app when setting it up using the QR code provided on the user configuration page.

User Can Generate Code: Checking this option allows the user to reset the secret value if they choose. Unchecking this option will prevent the user from changing the secret themselves.

User Can Disable Provider: If this box is checked the user will be able to enable or disable two factor authentication on their account. If you wish to force users to use two factor authentication, leave this box unchecked.

User Can Self-Enroll in this Provider: If this box is checked and two factor authentication is required, users will be able to set up Google Authenticator on first sign in, if they have not already done so.

YubiKey

https://www.yubico.com/start/

The standard YubiKey two factor provider is designed to connect to either the YubiCloud authentication service or to some other YubiKey Verification Server (external to Password Server). By default, all YubiKeys are shipped ready to verify against the YubiCloud service.

User Can Configure Provider: Checking this option allows the user to configure the two factor provider with any valid YubiKey. A YubiKey One-Time Password (OTP) will need to be entered and verified by the configured verification server(s).

  • This option is useful in situations where YubiKey is enabled as an optional two factor authentication provider or when the administrator does not want to configure each user individually after providing YubiKeys.

User Can Disable Provider: If this box is checked the user will be able to enable or disable two factor authentication on their account. If you wish to force users to use two factor authentication, leave this box unchecked.

Client ID & API Key: This is for communication with the YubiKey Cloud authentication service. You may obtain a Client ID and API key via their website (https://upgrade.yubico.com/getapikey/)

Server URLs

  • When hosting your own YubiKey verification servers, you must enter the URL(s) to use for verification. If no URLs are specified the verification will be done against the YubiKey Cloud service.

YubiKey Embedded Server

This specialized YubiKey two factor authentication provider allows you to use customized YubiKeys without connecting to an external service for verification.

This Two Factor Provider requires significantly more administration and cannot be configured by users directly.

To use this provider you must customize the YubiKey(s) using the YubiKey personalization software (https://www.yubico.com/products/services-software/personalization-tools/) with custom secret values. These values must then be entered into each user's configuration by an administrator.

 


Tag page
You must login to post a comment.