Two-factor Authentication in Produce and Manage

Two-factor authentication (2FA) adds additional security to an account in the event that someone else gets/guesses your password. An additional code is created via an app (such as Google Authenticator) on your device that lasts for 30 seconds. The server also generates the same code and only if you enter the same value at the correct time will you be allowed access.

Main Configuration through Produce

Only the current user can turn on 2FA for themselves because it requires them to have a secret key entered into an app that will generate codes.

Go to the Profile menu and then click the link to Enable Two-Factor Authentication.

A screen will appear that displays the secret key which can be manually entered into the authenticator app or the QR code can be scanned.

Now the code is entered in the app. This ensures that the set up of the verification app is correct before the feature is enabled. Otherwise, a subsequent login might not be possible. When the code has been entered, correctly click the Turn On button.

If the feature has been enabled, the Two-Factor Authentication link on the Profile page turns into a Disable link.

📘

Note:

Because it is a time-based code, it is important that the server and device have fairly accurate system clocks.

The next time a login to Manage or Produce is attempted, there will be a verification code prompt. The code that appears on the authenticator app will be needed to log in. There is also a "Remember this browser?" checkbox that will remember if the two-factor authentication on this browser has been previously passed and will not prompt again for 90 days.

Additional Maintenance Option

When editing a user, there is a new checkbox on their account indicating whether they have two-factor authentication enabled. It will be checked and enabled if they do have it on, and unchecked and disabled if they have it off.

An admin cannot turn on 2FA for another user because they need to get the secret key setup on their device first. However, the admin can disable the feature for a user. For example, the user lost their phone.

Enforce Two Factor Authentication

It is possible to enforce 2FA by selecting it on a Role. Users that belong to this role, or a group that has this role, will be prompted to setup 2FA when they next login. Instructions will appear on the screen for the user to follow. If the user does not immediately activate 2FA, they will be prompted on their next attempt. The user will not be able to login without setting up 2FA.