Smartstaff
2,103
edits
Changes
m
→Time-Based One-Time Password (TOTP) Implementation
==Time-Based One-Time Password (TOTP) Implementation==
===Enforce TOTP Multi-Factor Authentication for Particular Roles===
:# In your SmartSimple instance (logged in as Global Admin), go to''' Menu Icon''' > '''Global Settings'''.<br /> [[File:GlobalSettings5.png|thumb|none|800px| '''Global Settings''' link under the main menu]]
:# Go to the Security tab > '''Password and Activation Policies > '''Under “Authentication Options”, toggle on '''Enable Multi-Factor Authentication (MFA)'''.
:# In the setting '''Roles with Time-Based One-Time Password (TOTP),''' include the roles that you want to enable multi-factor authentication for.
When logging into the system for the first time after TOTP has been activated on the user's role, the user must first follow these steps:
:# If user has TOTP enabled on their account, they will be presented with the following screen the next time they log in: <br /> [[File:MFASetupTOTP.png|thumb|none|800px|TOTP Setup Page.setup page with instructions]]
:# Follow the instructions listed on the screen. Start by installing an authenticator app on your mobile device.
:# On your mobile device, open the authenticator app and select the option to add a new device or scan a QR code. Each app will have different actions. <br /> [[File:ScanQR.jpg|thumb|none|800px| Interface for Google Authenticator]]:# The app may prompt you for a QR code or a setup key. Back on your SmartSimple login MFA setup page, click the button labeled Clicking the button '''Show TOTP Key and QR Code'''. This will reveal the QR and secret key used with an authentication app. <br /> [[File:QRandSecretCodeScreen.png|thumb|none|800px|'''TOTP QR Code''' and '''TTOTP Secret Code Screen.Key''' revealed]]
:# Use the mobile app to scan the QR code or manually enter the secret key into the app. Once complete, a new device will be added to your list in the app.
:# The mobile app will generate a time-based verification code. Enter this code into the field labelled '''Enter Verification Code''' on the setup page.
===Determining Which Roles Can Reset TOTP===
:# In your SmartSimple instance (logged in as a '''Global Administrator''') in the '''Main Menu''', select '''Global Settings'''.<br /> [[File:GlobalSettings5.png|thumb|none|800px| The '''Global Settings''' link under the main menu]]
:# Navigate to the '''Users''' tab and click '''Roles'''.
:# '''Edit''' the role that you would like to grant the ability to reset TOTP on behalf of other users. For security best practice, this role should be an internal role only.
