Setting Up Authenticator Apps

(Versions 7+)

Provides Two Factor Authentication (2FA) using One Time Password (OTP) codes generated by the Google Authenticator App.

Supported Authenticator Apps: 

  • Google Authenticator, Microsoft Authenticator, Authy, DUO mobile, etc.
  • See Supported Providers for more...


  • Warning: Be careful when setting Two Factor Required, as it could prevent users from logging in unless:
    • Their accounts can be self-enrolled, or,
    • they have been individually configured to use at least one 2FA provider (eg. Authenticator Apps).

  • If users have already been locked out, please Contact us!

Step 1: Configure the Provider

  • Open an existing Policy
  • Once the policy is created: you will see a list of possible 2FA Providers:2FA-Providers-List.png
  • Under Two Factor Policy section, click Configure in the Google Authenticator row of the Configurations table:Google-Authentication-Provider-Configuration.png
  • Service Name: Enter a service name. This will be seen in the application as the label for the Token Generator and will be seen by all Policy users
  • Click the Enabled checkbox: the other checkboxes are optional - read their explanations for further details.
  • Click Save.

Step 2: Configure Two-Factor Settings

  1. Status Required: Requires all users to authenticate with 2FA
    • Note: 2FA Required will prevent users subject to this Policy from logging in unless their accounts
    • have been individually configured to use at least one TFA provider (eg. Google Authenticator).
    • If users have already been locked out, please Contact us!
  2. Browser Remember Flag: Allows users skip 2FA for secure browsers
  3. Refer to Two Factor Authentication for additional details of the options (below):Two-Factor-Policy-Settings.png

Step 3: Set the Policy

  • Attach the Policy to a Role or User:
    • Attach to a Role:
      • Navigate to Users & Roles > Manage Policies.
      • Click Set Role Policy (in the Role Policies section).
      • In the popup that results (shown below), attach the Policy to a role of your choice and click Set policy.
    • Attach to a User
      • Navigate to "Users & Roles > Manage Users"
      • Either click Add New User, or click Edit in an existing user's "Actions" dropdown
      • Set the "Policy" field appropriately
      • Click Create or Save (as appropriate)

Step 4: (Optional) Configure a User's Secret

  • It is best to let the user configure their own secret, however, admins can also set as necessary.
  • Navigate to Users & Roles > Manage Users
    • Click the name of either a user with the role from step 3 or the user from step 4.
    • In the Policy Information section you should see a 2FA table; click Configure in the Google Authenticator row.
    • Click Enable; you'll be taken back to the user's Details page.
    • Click Configure again, and keep the resulting page open.
    • (Optionally) Save the secret in a secure location, and/or forward this info to the user.

Step 5: Double-Check Server Time Synchronization

  • The Authenticator application protocol is time-based.
  • If the time on any of these are out-of-sync (even by 20-25 seconds), the user may not be able to authenticate: 
  • Check:
    • The Server time
    • The user Device time
    • The Authenticator app time (Android)
  • more info: Google Authenticator help
  • This has been the only authentication issue for users of Authenticator apps, which rejects valid tokens.

Step 6: Use the App

Choosing Your Two Factor Authenticator

Users with more than one 2FA Provider configured (whether directly or via their roles) will be prompted to choose one during login:

Two Factor Choices.PNG

Tag page
You must login to post a comment.