Setting Up Google Authenticator

(Version 7+)

Provides Two Factor Authentication (2FA) using One Time Password (OTP) codes generated by the Google Authenticator App.

Steps

  1. Configure Google Authenticator Provider
    • Open an existing Policy
    • Once the policy is created: you will see a list of possible 2FA Providers:2FA-Providers-List.png
    • Under Two Factor Policy section, click Configure in the Google Authenticator row of the Configurations table:Google-Authentication-Provider-Configuration.png
    • Service Name: Enter anything you'd like. This will be seen in the application as the label for the Token Generator and will be seen by all Policy users
    • Click the Enabled checkbox: the other checkboxes are optional - read their explanations for further details.
    • Click Save.
  2. Configure Two Factor settings
    • Status Required: Requires all users to authenticate with 2FA
      • Note: 2FA Required will prevent users subject to this Policy from logging in unless their accounts
      • have been individually configured to use at least one TFA provider (eg. Google Authenticator).
      • If users have already been locked out see here.
    • Browser Remember Flag: Allows users skip 2FA for secure browsers
    • Refer to Two Factor Authentication for additional details of the options (below):Two-Factor-Policy-Settings.png
  3. Attach the Policy to a User / Role
    • Attach to a Role:
      • Navigate to Users & Roles > Manage Policies.
      • Click Set Role Policy (in the Role Policies section).
      • In the popup that results (shown below), attach the Policy to a role of your choice and click Set policy.
    • Attach to a User
      • Navigate to "Users & Roles > Manage Users"
      • Either click Add New User, or click Edit in an existing user's "Actions" dropdown
      • Set the "Policy" field appropriately
      • Click Create or Save (as appropriate)
  4. Admin Configuration of a User's Secret
    • Navigate to Users & Roles > Manage Users
    • Click the name of either a user with the role from step 3 or the user from step 4.
    • In the Policy Information section you should see a 2FA table; click Configure in the Google Authenticator row.
    • Click Enable; you'll be taken back to the user's Details page.
    • Click Configure again, and keep the resulting page open.
  5. Use the App
    • Download the Google Authenticator app from the App Store (iOS) or Google Play (Android). BlackBerry users, see below.
    • Open the App and add an account (exactly how to do this depends on your device) using the "Scan barcode" method (rather than "Manual entry").
      1. (Android only) If prompted, download the suggested Barcode Scanner app and reopen Google Authenticator.
      2. The App will display the viewfinder of your device's camera overlaid with a large square or rectangular area.
      3. Position your device so that the barcode displayed on the page you left open in step 5.5 is completely contained within this area.
      4. The App will automatically generate an account and return you to the main window.
    • The resulting six-digit number - which regularly expires and is replaced by another - is the token users will enter when prompted during login (see below).
Currently Known Issue with iPhones:

With some iPhones, scanning the barcode produces an error like the following:

IMG_0817.PNG

If you face this error, write down the text from the section of your error message matching the red box shown above (ie, after "=" and before "======").

Next, navigate to the main screen of the App and select "Manual Entry".

  • For "Account", enter anything you'd like (whatever you enter will be the in-app label for this token generator).
  • For "Key", enter the value you wrote down.
  • Confirm what you've entered (exactly how to do this depends on your device) to create the token generator.
Choosing Your Two Factor Authenticator

Users with more than one 2FA Provider configured (whether directly or via their roles) will be prompted to choose one during login:

Two Factor Choices.PNG

Authenticating with BlackBerry 
  • BlackBerry 4.5-7.0: follow these instructions to get the official Google Authenticator app.
  • BlackBerry 10: no official app available. Some users have reported success with the third-party app 2 Steps Authenticator; another possibility is GAuth (we haven't tested either).
Tag page
You must login to post a comment.