Difference between revisions of "Multi-Factor Authentication"
Eric Lauer (talk | contribs) |
Eric Lauer (talk | contribs) |
||
Line 9: | Line 9: | ||
* '''Time-based One-Time Password (TOTP)''' via an authenticator app. | * '''Time-based One-Time Password (TOTP)''' via an authenticator app. | ||
− | : ''' | + | : '''IMPORTANT''': <span style="color: #ff0000;">'''YOU MUST'''</span> setup your authenticator app and link to your user account '''BEFORE''' enabling this type of MFA. Additional steps are required. Please see below for details. |
* '''Single Use Verification Code '''sent by either Email or SMS. | * '''Single Use Verification Code '''sent by either Email or SMS. | ||
+ | |||
+ | :: No additional configuration steps required for this type of MFA. | ||
+ | : | ||
Line 16: | Line 19: | ||
All settings related to multi-factor authentication are in a single location | All settings related to multi-factor authentication are in a single location | ||
− | # Navigate to '''Global Settings''' > '''Security''' > '''Password and Activation Policies''' | + | :# Navigate to '''Global Settings''' > '''Security''' > '''Password and Activation Policies''' |
− | # Scroll to''' Authentication Options''' and toggle on '''Enable Multi-Factor Authentication''' | + | :# Scroll to''' Authentication Options''' and toggle on '''Enable Multi-Factor Authentication''' |
− | # Specify the roles that require authentication via TOTP and/or Verification Code | + | :# Specify the roles that require authentication via TOTP and/or Verification Code |
− | |||
'''<u>NOTE:</u>''' If new roles are added to the system, the MFA configuration must also be updated | '''<u>NOTE:</u>''' If new roles are added to the system, the MFA configuration must also be updated | ||
Line 30: | Line 32: | ||
==='''NOTE:''' When enabling MFA for use with TOTP all existing users in roles that will have 2-Factor enabled must first scan their code into an authenticator app.=== | ==='''NOTE:''' When enabling MFA for use with TOTP all existing users in roles that will have 2-Factor enabled must first scan their code into an authenticator app.=== | ||
− | + | :# Select the User menu from the top right. | |
− | # Select the User menu from the top right. | + | :# Select the link titled '''Personal Settings''' from the user menu. <br /> [[Image:PersonalSettingsUserMenu.png|200px]] |
− | # Select the link titled '''Personal Settings''' from the user menu. <br /> [[Image:PersonalSettingsUserMenu.png|200px]] | + | :# Select the Security tab in the following modal window. <br /> [[Image:MFAQR.png|500px]] |
− | # Select the Security tab in the following modal window. <br /> [[Image:MFAQR.png|500px]] | + | :# Open your Authenticator app on your mobile device. If one is not yet installed on your device, download “Authenticator” from your mobile device’s app store. |
− | # Open your Authenticator app on your mobile device. If one is not yet installed on your device, download “Authenticator” from your mobile device’s app store. | + | :# On your mobile device, in the Authenticator App, select “Add new device” or similar. Then “Scan QR Code” or similar. <br /> [[Image:ScanQR.jpg|500px]] |
− | # On your mobile device, in the Authenticator App, select “Add new device” or similar. Then “Scan QR Code” or similar. <br /> [[Image:ScanQR.jpg|500px]] | + | :# Scan the QR code “TOTP QR Code” from within the app on your mobile device. |
− | # Scan the QR code “TOTP QR Code” from within the app on your mobile device. | + | :# A new device should be added to your list. Note that, alternatively, you can also use the “TOTP Secret Key” as opposed to the QR code. |
− | # A new device should be added to your list. Note that, alternatively, you can also use the “TOTP Secret Key” as opposed to the QR code. | + | :# In your SmartSimple instance, in the '''Configuration Menu''' (9-Square Grid Icon), select '''Global Settings'''.<br /> [[Image:GlobalSettings5.png|250px]] |
− | # In your SmartSimple instance, in the '''Configuration Menu''' (9-Square Grid Icon), select '''Global Settings'''.<br /> [[Image:GlobalSettings5.png|250px]] | + | :# Select the '''Security''' Tab from the Global Settings. |
− | # Select the '''Security''' Tab from the Global Settings. | + | :# Click '''Password and Activation Policies'''. |
− | # Click '''Password and Activation Policies'''. | + | :# Under “Authentication Options”, toggle on '''Enable Multi-Factor Authentication (MFA)'''. |
− | # Under “Authentication Options”, toggle on '''Enable Multi-Factor Authentication (MFA)'''. | + | :# In the setting '''Roles with Time-Based One-Time Password (TOTP)''' include the roles that you will be adding 2-Factor Authentication for. Note that the existing users in these roles must first scan the QR Code on their mobile device before this setting should be toggled on. |
− | # In the setting '''Roles with Time-Based One-Time Password (TOTP)''' include the roles that you will be adding 2-Factor Authentication for. Note that the existing users in these roles must first scan the QR Code on their mobile device before this setting should be toggled on. | + | :# Toggle on '''Enable Trusted Device''' if you would like users to be able to bypass entering a code for a time period after the code has been successfully entered. If enabled, also enter the time period that the 2-Factor Authentication will be bypassed for trusted users. |
− | # Toggle on '''Enable Trusted Device''' if you would like users to be able to bypass entering a code for a time period after the code has been successfully entered. If enabled, also enter the time period that the 2-Factor Authentication will be bypassed for trusted users. | + | :# Scroll to the bottom of the page and click '''Save'''. |
− | # Scroll to the bottom of the page and click '''Save'''. | + | :# To test your MFA, log out of your account, and then log back in. You should now see a page following login called “Multi-Factor Authentication.” Enter the password in the Authenticator app here, and access will be granted into the system. <br /> [[Image:MFAScreen.png|500px]] |
− | # To test your MFA, log out of your account, and then log back in. You should now see a page following login called “Multi-Factor Authentication.” Enter the password in the Authenticator app here, and access will be granted into the system. <br /> [[Image:MFAScreen.png|500px]] | ||
− | |||
Line 96: | Line 96: | ||
=See Also= | =See Also= | ||
− | * [[User Role]]s | + | :* [[User Role]]s |
− | |||
[[Category:Security]] | [[Category:Security]] |
Revision as of 10:35, 16 November 2022
Contents
Overview
Multi-Factor Authentication is a method of authentication in which a user is granted access to your SmartSimple Cloud system only after successfully presenting two or more pieces of evidence to an authentication mechanism.
The security impact of Multi-Factor Authentication (MFA) is that while a user may lose an access card or get tricked into sharing a password, the odds of both happening to a single user are dramatically reduced. Using MFA therefore enhances an organization's ability to ensure that no one is using illegitimate means to gain access.
SmartSimple Cloud supports two different approaches to Multi-Factor Authentication:
- Time-based One-Time Password (TOTP) via an authenticator app.
- IMPORTANT: YOU MUST setup your authenticator app and link to your user account BEFORE enabling this type of MFA. Additional steps are required. Please see below for details.
- Single Use Verification Code sent by either Email or SMS.
- No additional configuration steps required for this type of MFA.
Configuration
All settings related to multi-factor authentication are in a single location
- Navigate to Global Settings > Security > Password and Activation Policies
- Scroll to Authentication Options and toggle on Enable Multi-Factor Authentication
- Specify the roles that require authentication via TOTP and/or Verification Code
NOTE: If new roles are added to the system, the MFA configuration must also be updated
NOTE: When enabling MFA for use with TOTP all existing users in roles that will have 2-Factor enabled must first scan their code into an authenticator app.
- Select the User menu from the top right.
- Select the link titled Personal Settings from the user menu.
- Select the Security tab in the following modal window.
- Open your Authenticator app on your mobile device. If one is not yet installed on your device, download “Authenticator” from your mobile device’s app store.
- On your mobile device, in the Authenticator App, select “Add new device” or similar. Then “Scan QR Code” or similar.
- Scan the QR code “TOTP QR Code” from within the app on your mobile device.
- A new device should be added to your list. Note that, alternatively, you can also use the “TOTP Secret Key” as opposed to the QR code.
- In your SmartSimple instance, in the Configuration Menu (9-Square Grid Icon), select Global Settings.
- Select the Security Tab from the Global Settings.
- Click Password and Activation Policies.
- Under “Authentication Options”, toggle on Enable Multi-Factor Authentication (MFA).
- In the setting Roles with Time-Based One-Time Password (TOTP) include the roles that you will be adding 2-Factor Authentication for. Note that the existing users in these roles must first scan the QR Code on their mobile device before this setting should be toggled on.
- Toggle on Enable Trusted Device if you would like users to be able to bypass entering a code for a time period after the code has been successfully entered. If enabled, also enter the time period that the 2-Factor Authentication will be bypassed for trusted users.
- Scroll to the bottom of the page and click Save.
- To test your MFA, log out of your account, and then log back in. You should now see a page following login called “Multi-Factor Authentication.” Enter the password in the Authenticator app here, and access will be granted into the system.
Settings Explained
Setting |
Description |
Enable Multi-Factor Authentication |
Enables MFA for the entire instance but does not have any impact unless user roles are specified. |
Roles with Time-based One-time Password (TOTP) |
Associates one or more roles with authentication proven through an authenticator app such as Google or Microsoft Authenticator. |
Roles with Verification Code via SMS or Email |
Associates one or more roles with authentication proved through either email or an SMS message. The user can choose at the point of verification to receive an email containing the one-time-code or an SMS message containing the one-time code. SMS must be enabled by SmartSimple and will incur an additional cost. Please speak to your account manager for more information. |
Enable Trusted Device |
This option is used to enable the trusted device feature. If this option is selected then every user (via their role) associated with MFA will not be prompted every time they attempt to log into the system. |
Trusted Device Expiry |
Sets the frequency of the MFA prompt, based on the number of days specified. If the number is set to one, the user will be prompted every day for an MFA verification code, if set to five then the user will be prompted every five days. |