Two factor authentication

The Security Console supports two factor authentication via time-based one-time password applications.

Compatibility

This two factor authentication feature is currently not compatible with Active Directory (LDAP) and Kerberos authentication methods.

Requirements

Two factor authentication requires the following:

  • You must be a Global Administrator to enable the feature
  • Individual users must have a time-based one-time password app, such as Google Authenticator

Enablement

The two factor authentication option must be enabled before use:

  1. In the left navigation menu in your Security Console, click the Administration tab.
  2. Under “Global and Console Settings”, click Administer.
  3. On the “Security Console Configuration” page, click the Authentication tab.
  4. Under “Two Factor Authentication”, check the corresponding box.
  5. A “Warning” window displays. Click Enable Two Factor Authentication when ready.
  6. Click Save to confirm the changes.

All your user accounts will now be required to provide an access code on login in addition to their credentials.

Token generation

Tokens are generated by individual users or the Global Administrator.

User-generated tokens

If you are a non-admin user that needs to complete your two factor authentication setup as mandated by your Global Administrator, follow these steps:

  1. Log in to the Security Console using your regular credentials.

TIP

If your Global Administrator enabled two factor authentication before you logged in, you will be prompted for an access code whether or not you have completed the setup yourself.

Leave this field blank for first-time logins.

  1. Open your username dropdown in the upper right corner of the screen.
  2. Click User preferences.
  3. On the General tab of the “User Configuration” page, click Generate New Token.
  4. Add a new account in your authentication app and use your token as the key.
  5. Click Save when finished.

For future logins, you will need to provide the access code shown in your authentication app in addition to your credentials in order to access the Security Console.

Admin-generated tokens and management

Global Administrators can generate tokens for individual users for their use and monitor their two factor authentication status. To generate a token for a user:

  1. In the left navigation menu in your Security Console, click the Administration tab.
  2. Under “Users”, click manage user accounts.
  3. The “Users” table will display. An additional column labeled “Two Factor Authentication Enabled” will be available if you have enabled the feature and will show values of “Yes” or “No” for each of your users depending on their status.
  4. Click the pencil icon in the “Edit” column next to the desired user account.
  5. On the General tab, click Generate New Token.
  6. Provide this token to your user so they can pair it with their authentication app.
  7. Click Save when finished.

If desired, users can change their token after logging in with an access code to complete the initial setup.

Disable noncompliant users

If you need to disable individual user accounts that have not yet completed the two factor authentication setup, you can do so from the “Users” table:

  1. Check the boxes of any noncompliant user accounts you want to disable.
  2. Click Disable Users.

This action can be reversed in the same fashion by clicking Enable Users for selected disabled accounts.