Difference between revisions of "Multi-Factor Authentication"

From SmartWiki
Jump to: navigation, search
Line 8: Line 8:
 
The '''Two-Factor Authentication '''function provides a second factor - this can be something that someone has (for example, an access card) or some unique property of that person (for example, a fingerprint, or a code sent to a personal mobile device). 
 
The '''Two-Factor Authentication '''function provides a second factor - this can be something that someone has (for example, an access card) or some unique property of that person (for example, a fingerprint, or a code sent to a personal mobile device). 
  
A user may lose an access card or get duped into sharing a password, but the odds of both happening are dramatically reduced. Using '''Two-Factor Authentication '''enhances an organization's ability to ensure that no one is using illegitimate means to gain access. 
+
A user may lose an access card or get duped into sharing a password, but the odds of both happening to a single user are dramatically reduced. Using '''Two-Factor Authentication '''therefore enhances an organization's ability to ensure that no one is using illegitimate means to gain access. 
  
 
'''Two-Factor Authentication '''is a required component of maintaining [[SmartSimple]]'s SOC2 security status. SmartSimple supports two different '''Two-Factor Authentication '''approaches: 
 
'''Two-Factor Authentication '''is a required component of maintaining [[SmartSimple]]'s SOC2 security status. SmartSimple supports two different '''Two-Factor Authentication '''approaches: 
Line 19: Line 19:
 
In order to configure '''Two-Factor Authentication, '''you will need to have the following: 
 
In order to configure '''Two-Factor Authentication, '''you will need to have the following: 
  
* [[Global User Administrator|System Administrator]] access - your [[User|user]] [[User Role|role]] in your [[SmartSimple]] [[instance]] must be '''System Administrator '''
+
* [[Global User Administrator|System Administrator]] access - your [[User|user]] [[User Role|role]] in your [[SmartSimple]] [[instance]] must be '''System Administrator.'''
 
* Access to a mobile device and the appropriate Google Authenticator application installed on the device - the app can be retrieved from Google Play, App Store, etc by searching for "Google Authenticator" in the application store. 
 
* Access to a mobile device and the appropriate Google Authenticator application installed on the device - the app can be retrieved from Google Play, App Store, etc by searching for "Google Authenticator" in the application store. 
  
 
==Configuring a Role to Use Two-Factor Authentication==
 
==Configuring a Role to Use Two-Factor Authentication==
 
'''Two-Factor Authentication '''is configured by [[User Role]]. For best practice, it is recommended to specifically create '''Two-Factor Authentication '''as a new role and adding it to the existing users. While '''Two-Factor Authentication '''can be added to an existing role, it is not recommended because it will become more complex to manage. <br />For roles that have this feature enabled, the use of '''Two-Factor Authentication '''becomes mandatory. This involves a drastic change in user experience, so SmartSimple recommends that this action be rolled out to users in small groups at the beginning of the process. 
 
'''Two-Factor Authentication '''is configured by [[User Role]]. For best practice, it is recommended to specifically create '''Two-Factor Authentication '''as a new role and adding it to the existing users. While '''Two-Factor Authentication '''can be added to an existing role, it is not recommended because it will become more complex to manage. <br />For roles that have this feature enabled, the use of '''Two-Factor Authentication '''becomes mandatory. This involves a drastic change in user experience, so SmartSimple recommends that this action be rolled out to users in small groups at the beginning of the process. 
 +
 +
The first step of the implementation process is to create this role in your [[SmartSimple]] [[instance]]. 
  
 
Follow the steps below in order to configure a user role to '''Two-Factor Authentication - '''
 
Follow the steps below in order to configure a user role to '''Two-Factor Authentication - '''
Line 30: Line 32:
  
 
:: {{Icon-Menu}} 
 
:: {{Icon-Menu}} 
 
 
2. Under the heading '''Configuration, '''select '''Roles and Security.'''
 
2. Under the heading '''Configuration, '''select '''Roles and Security.'''
  
 
:: [[File:2factor roles.png|220px|border]]
 
:: [[File:2factor roles.png|220px|border]]
 
 
3. Click on the first hyperlink labelled '''User Roles.'''
 
3. Click on the first hyperlink labelled '''User Roles.'''
  
 
The list of available [[User Role|user roles]] in your system will be displayed. 
 
The list of available [[User Role|user roles]] in your system will be displayed. 
 +
 +
4. Click on the '''+ icon '''on the top left in order to '''Create a New Role. '''
 +
 +
:: [[File:2factor create new user role.png|600px|border]] 
  
 
4. Click on the '''pencil icon '''next to the role for which you wish to add '''Two-Factor Authentication. '''
 
4. Click on the '''pencil icon '''next to the role for which you wish to add '''Two-Factor Authentication. '''
  
 
:: [[File:2factor pencil icon.png|30px|border]]. 
 
:: [[File:2factor pencil icon.png|30px|border]]. 
 
 
This will bring you to the '''Edit '''details for that role. 
 
This will bring you to the '''Edit '''details for that role. 
  
Line 48: Line 51:
  
 
:: [[File:2factor from edit role.png|500px|border]]
 
:: [[File:2factor from edit role.png|500px|border]]
 
 
By clicking into the drop-down, you have the ability to select from a number of different options: 
 
By clicking into the drop-down, you have the ability to select from a number of different options: 
  

Revision as of 10:58, 4 July 2019

Overview

When using Two-Factor Authentication, each new user can use the Google Authenticator app to obtain one-time passwords which are calculated from time and/or event-based algorithms. 

Most websites that a user can log into require a username and password, both "known" by the individual in order to log in. In short, this means that anyone who knows the correct username and password combination for a unique account can log into that account; thus, there is very little that can be done to identify that the individual logging is is actually the individual who owns the account. 

The Two-Factor Authentication function provides a second factor - this can be something that someone has (for example, an access card) or some unique property of that person (for example, a fingerprint, or a code sent to a personal mobile device). 

A user may lose an access card or get duped into sharing a password, but the odds of both happening to a single user are dramatically reduced. Using Two-Factor Authentication therefore enhances an organization's ability to ensure that no one is using illegitimate means to gain access. 

Two-Factor Authentication is a required component of maintaining SmartSimple's SOC2 security status. SmartSimple supports two different Two-Factor Authentication approaches: 

  • TOTP (Time-based One-Time Password) - this technique uses an authentication app that is installed on a mobile phone 
  • RSA Disconnected Token - this technique requires a physical device used to generate a one-time code 
This article deals specifically with the TOTP protocol. To learn more about the RSA Disconnected Token protocol and its related costs, please contact your account manager. 

Prerequisites

In order to configure Two-Factor Authentication, you will need to have the following: 

  • System Administrator access - your user role in your SmartSimple instance must be System Administrator.
  • Access to a mobile device and the appropriate Google Authenticator application installed on the device - the app can be retrieved from Google Play, App Store, etc by searching for "Google Authenticator" in the application store. 

Configuring a Role to Use Two-Factor Authentication

Two-Factor Authentication is configured by User Role. For best practice, it is recommended to specifically create Two-Factor Authentication as a new role and adding it to the existing users. While Two-Factor Authentication can be added to an existing role, it is not recommended because it will become more complex to manage. 
For roles that have this feature enabled, the use of Two-Factor Authentication becomes mandatory. This involves a drastic change in user experience, so SmartSimple recommends that this action be rolled out to users in small groups at the beginning of the process. 

The first step of the implementation process is to create this role in your SmartSimple instance

Follow the steps below in order to configure a user role to Two-Factor Authentication - 

1. Click on the 9-square menu icon on the top right of your page.

052919 MenuIcon.png 

2. Under the heading Configuration, select Roles and Security.

2factor roles.png

3. Click on the first hyperlink labelled User Roles.

The list of available user roles in your system will be displayed. 

4. Click on the + icon on the top left in order to Create a New Role. 

2factor create new user role.png 

4. Click on the pencil icon next to the role for which you wish to add Two-Factor Authentication. 

2factor pencil icon.png

This will bring you to the Edit details for that role. 

5. Under the General tab, scroll down until you see the Two-Factor Authentication field.

2factor from edit role.png

By clicking into the drop-down, you have the ability to select from a number of different options: 

  • None: There will be no two-factor authentication enabled for this user role. When someone with this user role tries to enter the system, they are able to successfully log in by inputting just their correct username and password combo.
  • Time-based One-time Password (TOTP): T

/


When the user receives the new password then they navigate to the activation screen.

If this is the first time the user has had a code generated then the screen should include a QR Code that can be scanned using Google Authenticator. The actual authentication code is also provided in case there are issues with the use of Google Authenticator.

EnableTwoFactor 3.png

If the user has an existing QA Code then the user can click a button to generate a new code and re-sync or can proceed to the login page.

Users will then be prompted to enter the one-time code after entering their user name and password.
EnableTwoFactor3.png

Notes

  • If both Single Sign-On and Two-Factor Authentication are in use, there is a Single Sign-On setting option that will control whether or not Two-Factor Authentication will be required when a user authenticates via SSO.

See Also