M4 two factor authentication

From Kolmisoft Wiki
Jump to navigationJump to search

Description

Two-factor (2FA) authentication improves security by assigning an additional method (factor) for authentication. M4 supports two methods of Two-factor authentication:

  • Sending verification code over email
  • Authenticator App, using time-based one-time password (TOTP)

Examples of apps that support TOTP protocol:

  • Google Authenticator
  • Microsoft Authenticator
  • LastPass Authenticator


Configuration

Globally enabling 2FA

In order to configure 2FA, firstly it must be globally enabled in MAINTENANCE->Settings Security section.


2FAM4globalsettings.png

To enable this setting, email must be globally enabled too.

Enabling for Users

Once 2FA is globally enabled, Admin can Enable/Disable 2FA for specific Users in the User's Details Page.


2FAuserfromadmin.png

Configuration from User's Account

If 2FA is enabled by Admin for User, this User can configure 2FA from the Personal details page:


2FAM4userpersonaldetails.png


2FAM4userpersonaldetailspage.png

When 2FA is enabled for the User, by default 2FA is set to Email. In this case, no additional configuration is needed.

To Enable 2FA by Authenticator app, the User has to do these steps:

  • Set Authentication method to: Authenticator app
  • Press UPDATE button
  • New window will appear where Users can scan QR code or enter the key manually.



2FAM4appauthentication.png

  • Open Authentication App (Google Authenticator, Microsoft Authenticator, etc) and scan the QR code. If you are unable to scan the QR code, enter the key manually in the App.
  • Account will be added to your Authenticator App and App will generate the code that must be entered into the Code section.
  • Click Submit button to verify the operation.

If the operation is successful, Authenticator App 2FA authentication will be enabled and the User will need to enter the code from the App (this code changes every few seconds) on every login.

If the verification operation fails for some reason (the user is unable to add the key to the app, close the browser window, etc), on the next login User will be authenticated using Email 2FA.

Configuration for System Admin

Configuration is the same as for simple Users and is available from Personal Menu under the Admin account.

2FAM4adminconfig.png

The only difference is that Admin can disable/enable 2FA for his own account, while a simple User can only change the 2FA type if it is enabled by Admin for the User account.