Two Factor Authentication

Two Factor Authentication (2FA) is an extra layer of security in addition to the commonly used user name and password security. When enabled, it requires an additional piece of security token that can be retrieved or generated by the user's own hardware device or software.

There are three types of 2FA supported, namely Google Authenticator, Email or SMS.

  • Google Authenticator is a free app that you can install on your smart phone which will generate a new security code every 30 seconds. For a first time user, the application will generate a QR code which the user must scan with their phone's camera to add the profile to their Google Authenticator app. He can then use the security code generated from the Google Authenticator for the first and subsequent logins. To install and get more information about Google Authenticator, see Google Authenticator on Google Play, or ā€ˇGoogle Authenticator on App Store.

  • If 2FA with Email is enabled, an email containing a generated security code will be sent to the user's registered email address. He can then use the security code to login.

    Important: Make sure that you have configured your Email settings correctly so that emails can be sent.

  • If 2FA with SMS is enabled, a SMS message containing a generated security code will be sent to the user's mobile device for login.

    Important: You must have your own SMS provider to send SMS messages before you can use this feature.
    • If you have an AWS account, you can enable the AWSSNS extension (registered users only) to send SMS by AWSSNS.
    • If you have a third party SMS provider, you need to write your own SMS class in Server Events - Global Codes.

 

How to Use

To enable the feature, you need to enable the Two factor authentication checkbox and select the Two factor authentication type in User Login Option (see Security Settings -> User Login Options).

Note:
  • The Profile field (also under User Login Option) is required to store the user secret and backup codes so it must be enabled also.
  • The Email field (also under User Login Option) must be enabled if Two factor authentication type is set to Email.
  • The Mobile field (also under User Login Option) must be enabled if Two factor authentication type is set to SMS.

If Force two factor authentication is enabled, all users must login using 2FA.

If Force two factor authentication is not enabled, the user can opt in or opt out. After generation, an Enable two factor authentication button will be displayed in the user panel after the user logins.

The user can then click the button to enable two factor authentication login option.

If 2FA is enabled, a Disable two factor authentication will be displayed in the user panel. The user can then click the button to disable two factor authentication login option.

 

Login with 2FA

After 2FA is enabled, the user needs to enter the security code (either generated from the Google Authenticator app, or an One Time Password received via email or SMS) after logging in successfully with the user name and password.

 

Below is an example of an One Time Password received via SMS.

 

First time use with Google Authenticator

For first time use with Google Autthenticator, a dialog box with a QR code will be displayed to prompt the user to scan the QR Code using the Google Authenticator.

 

The user can then scan the QR Code to add the user profile to the Google Authenticator. He should enter the security code generated from the Google Authenticator to the input box then click the Verify button to proceed with the 2FA login.

 

Backup Codes

When 2FA is enabled, a set of backup codes will also be generated and saved in the user's Profile field. The backup codes are handy when the user has accidentally deleted his profile in the Google Authenticator, or uninstalled the app, or lost his mobile phone. In such cases the user can then use the backup codes as the 2FA security codes for login.

To retrieve the backup codes, after login, the user should click the Backup codes (2FA) button in the user panel.

 

The backup codes dialog box will appear:

 

The user can then click the Copy to clipboard to save the backup codes to the clipboard and then save them elsewhere. Note Each backup code can only be used once for login.

He can also click the Get new codes button to get a set of new backup codes. After getting new codes, the old backup codes become invalid, make sure you save the new backup codes.

 

Reset User Secret (Two Factor Authentication)

To cater for cases when a user is unable to generate the 2FA security code (e.g. due to losing his mobile phone), you can enable the Reset user secret (two factor authentication) option in User Login Option (see Security Settings -> User Login Options):

The administrator can then login and go to the list page of the user table to perform the reset for a certain user. After the reset, the user can then perform the login action again to set up the Google Authenticator as above.

 

 ©2002-2023 e.World Technology Ltd. All rights reserved.