Two factor authentication
The Security Console supports two factor authentication via time-based one-time password applications.
Compatibility
This two factor authentication feature is currently not compatible with Active Directory (LDAP) and Kerberos authentication methods.
Requirements
Two factor authentication requires the following:
- You must be a Global Administrator to enable the feature
- Individual users must have a time-based one-time password app, such as Google Authenticator
Enablement
The two factor authentication option must be enabled before use:
- In the left navigation menu in your Security Console, click the Administration tab.
- Click Console > Authentication: 2FA and SSO.
- On the Security Console Configuration page, click the Authentication tab.
- Under Two Factor Authentication, check the corresponding box.
- A “Warning” window displays. Click Enable Two Factor Authentication when ready.
- Click Save to confirm the changes.
All your user accounts will now be required to provide an access code on login in addition to their credentials.
Token generation
Tokens are generated by individual users or the Global Administrator.
User-generated tokens
If you are a non-admin user that needs to complete your two factor authentication setup as mandated by your Global Administrator, follow these steps:
- Log in to the Security Console using your regular credentials.
TIP
If your Global Administrator enabled two factor authentication before you logged in, you will be prompted for an access code whether or not you have completed the setup yourself.
Leave this field blank for first-time logins.
- Open your username dropdown in the upper right corner of the screen.
- Click User preferences.
- On the General tab of the User Configuration page, click Generate New Token.
- Add a new account in your authentication app and use your token as the key.
- Click Save when finished.
For future logins, you will need to provide the access code shown in your authentication app in addition to your credentials in order to access the Security Console.
Admin-generated tokens and management
Global Administrators can generate tokens for individual users for their use and monitor their two factor authentication status. To generate a token for a user:
- In the left navigation menu in your Security Console, click the Administration tab.
- Click Console > Authentication: 2FA and SSO.
- An additional column labeled Two Factor Authentication Enabled will be available if you have enabled the feature and will show values of Yes or “No” for each of your users depending on their status.
- Click the edit icon in the Edit column next to the desired user account.
- On the General tab, click Generate New Token.
- Provide this token to your user so they can pair it with their authentication app.
- Click Save when finished.
If desired, users can change their token after logging in with an access code to complete the initial setup.
Disable noncompliant users
If you need to disable individual user accounts that have not yet completed the two factor authentication setup, you can do so from the Users table:
- Check the boxes of any noncompliant user accounts you want to disable.
- Click Disable Users.
This action can be reversed in the same fashion by clicking Enable Users for selected disabled accounts.