Introduction
The two-factor authentication (TFA) is an extra layer of security that only completes authentication with a combination of two different factors: something the users know (username and password) and something they have (for example, smartphone) or something they are (for example, fingerprint).
There are two possible TFA strategies: Short Message Service (SMS) and Time-based One-Time Password (TOTP). Only one of them can be active at a time.
To check whether TFA is enabled for a certain user, go to the Users page and see the TFA status column right from the password strength column. A key icon indicates that TFA is enabled and by hovering over it you can see the strategy that is being used.
SMS
To enable a specific user
- In the Administration application, navigate to Accounts > Users and select a user in the Users page.
- Select the checkbox next to Two-factor authentication.
- Click Save.
TOTP
To set up TOTP
Opposed to the SMS strategy TOTP must be set up by each user. By opening User settings in the top right corner and then clicking Set up two-factor authentication they can start the setup process.
IF TFA is enabled, the user will be presented a QR code at login, that must be scanned with the previously installed TOTP mobile application.
Alternatively, the secret can also be inserted manually in case scanning the QR code is not an option.
After this process the mobile application will generate a new code every 30 seconds that can be used to complete the authentication process.
To revoke the secret
If a user loses access to the TFA code, for example, if a user loses the phone or uninstalls the application, and needs to set it up again, the secret must be revoked. TOTP must be set up by each user individually.
Users can not revoke their own TOTP secret. The secret of a user is only revoked by their respective parent user. See Managing user hierarchies for detailed information on user hierarchies.
ROLES & PERMISSIONS:
- To revoke a secret: ADMIN or CREATE permission for permission type “User management”
- In the Administration application, navigate to Accounts > Users and select a user in the Users page.
- Scroll down to Login options.
- Click Revoke TOTP secret.
- Confirm by clicking Revoke.
To disable TOTP for a user
If a user wants to turn off the use of TOTP (and thus TFA) completely, the secret must be revoked and TOTP enforcement must be disabled. TOTP must be set up by each user individually.
ROLES & PERMISSIONS:
- To revoke a secret: ADMIN or CREATE permission for permission type “User management”
- To disable TOTP enforcement: ADMIN permission for permission type “User management”
To disable TOTP for a user follow these steps:
- In the Administration application, navigate to Accounts > Users and select the user in the Users page.
- Scroll down to Login options.
- Clear the Enforce TOTP for the user checkbox.
- Click Revoke TOTP secret.
- Confirm by clicking Revoke.
- Click Save to save your changes.