Introduction
Two-factor authentication provides enhanced security by requiring users to confirm their identity using multiple factors, typically a smartphone or email. In addition to user login credentials, users are required to provide a temporary passcode received from the authenticating service. It is recommended that you enable two-factor authentication.
To log in using two-factor authentication, a user account must have two-factor authentication enabled and activated using one of the following methods:
- FIDO U2F: Universal 2nd Factor (U2F) is an open authentication standard that enables internet users to securely access any number of online services with one single security key instantly and with no drivers or client software needed.
- YubiKey: YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public-key encryption and authentication, and the U2F and FIDO2 protocols developed by the FIDO Alliance.
- TOTP: The Time-based One-Time Password (TOTP)algorithm is an extension of the HMAC-based One-time Password algorithm (HOTP) generating a one-time password by instead taking uniqueness from the current time.
To enable two-factor authentication across a client, log in with administrator credentials.
To enable and activate two-factor authentication across all partner users, log in with partner administrator credentials.
Three unsuccessful attempts for Two-Factor authentication redirects to the login page.
Enable two-factor authentication
Depending on the authentication scope, use one of the following enablement procedures:
- Enable two-factor authentication for accounts
- Enable two-factor authentication for clients
- Enable two-factor authentication for users
Enable two-factor authentication for accounts
Enable two-factor authentication for an account from the My Profile page. When you are done, select from the available two-factor authentication methods the next time you log in.
- On the My Profile page, select Setup > Account Management > Partner Details.
- Navigate to the Account Information section.
- Click ON to enable two-factor authentication.
At any time, click OFF to disable the two-factor authentication.
Enabling two-factor authentication for an account does not enable two-factor authentication for clients.
Enable two-factor authentication for clients
Enabling two-factor authentication for a client automatically enables two-factor authentication for users in the organization.
- Select Setup > Accounts > Clients.
- In the CLIENTS dialog, select the desired client name.
- In the CLIENT DETAILS dialog, navigate to the Authentication Mechanism section.
- Click Enable to enable two-factor authentication. A checkmark confirm enablement.
To disable two-factor authentication for a client, click Disable in the Authentication Mechanism section for the client. If you are a partner administrator with two-factor enabled and activated, reauthentication is done before deactivating any user. This eliminates session hijacking and other security issues.s
Enable two-factor authentication for users
A partner administrator can enable and activate two-factor authentication for users to provide high-level account security.
- Select Setup > Accounts > Users.
- In the USERS dialog, select one or more users.
- In the Actions drop-down menu, select Enable Two-Factor.
- Confirm the operation by clicking Yes. The Two-Factor column on the USERS page displays a checkmark.
After enabling the two-factor authentication for users, you can manually activate the two-factor key for those users using the Activate Key dialog. If you do not activate two-factor authentication for a user, they receive a prompt to activate two-factor authentication when they next log in.
Activate two-factor authentication
Following two-factor authentication enablement, you need to activate two-factor authentication.
Follow the applicable steps for the authentication mechanism selected for the user.
- Go to Setup > Accounts > Users and select a user. Two-factor authentication should indicate disabled or OFF.
- Toggle two-factor authentication to ON.
- Click Activate.
- In the Activate Two-Factor Authentication dialog, select from the authenticator mechanism and follow the steps, below.
Reauthentication is required after performing either of the following actions:
- Modifying the Partner Details page.
- Deactivating two-factor authentication.
FIDO U2F authenticator activation
FIDO U2F Universal 2nd Factor – U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers or client software needed.
- Select U2F-FIDO Universal 2nd Factor.
- Insert the FIDO U2F in the USB slot on the device.
- After the FISO U2F starts blinking, touch the FIDO U2F.
The FIDO security key is now successfully activated.
YUBICO authenticator activation
YUBICO Authenticator – A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button.
Select YUBICO Authenticator.
Insert the YubiKey.
Touch the YubiKey button. A 44-character, one-time password is generated:
TOTP authenticator activation
TOPTP Authenticator – Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time.
Before activating a TOTP authenticator, install a third-party application that supports TOTP on your smartphone. The application generates login passcodes and can receive push notifications for one-tap authentication.
The following applications support TOTP: - Google Authenticator - Windows Authenticator - DUO Authenticator - Authy Authenticator
Select TOTP Authenticator.
Configure the account in your two-factor authentication application
Add your account by scanning the verification barcode.
Enter the 6-digit verification code generated by the authenticator application.
Deactivate two-factor authentication
After activating the two-factor authentication, the Activate Two-Factor Key option is displayed in the Actions drop-down menu.
Click Disable Two-Factor Key to disable two-factor authentication for a user.
If you are a partner administrator with two-factor authentication enabled and activated, your two-factor key is reauthenticated before deactivating and disabling any user. This prevents session hijacking and other threats.
Log in using two-factor authentication
If two-factor authentication is activated for your account, you are required to take the step of providing a passcode after entering your username and password.
On three failed attempts to enter the correct passcode, you are routed to the login page to reenter your username and password.
Log in using FIDO U2F
- Insert the FIDO U2F Security Key into the USB port on the device.
- Log in using your username and password credentials.
- After you log in, touch the flashing FIDO U2F Security Key.
Log in using YubiKey
- Insert the YubiKey into the USB port on the device.
- Log in using your username and password credentials.
- After you log in and the YubiKey login screen appears, touch the YubiKey button. A 44-character, one-time passcode is generated.
Log in using TOTP
TOTP login requires a smartphone to log in.
- Log in using your username and password credentials.
- Enter the 6-digit scanned verification code. The code expires after 60 seconds before generating a new verification code. Log in is successful.
Lost two-factor key
The administrator can use the following steps to find the owner of a lost two-factor key.
- Select Setup > Accounts > Look Up Two-Factor Key.
- Touch the YubiKey button to generate a 44-character, one-time password.
- Click Lookup User.
User details are displayed, including name and username.