Two-factor authentication provides enhanced security by requiring users to confirm their identity using multiple factors, typically a smartphone or email. In addition to user login credentials, users are required to provide a temporary passcode received from the authenticating service. It is recommended that you enable two-factor authentication.
To log in using two-factor authentication, a user account must have two-factor authentication enabled and activated using one of the following methods:
- YubiKey: YubiKey is a hardware authentication device manufactured by Yubico that supports one-time passwords, public-key encryption and authentication, and the FIDO2 protocols developed by the FIDO Alliance.
- TOTP: The Time-based One-Time Password (TOTP)algorithm is an extension of the HMAC-based One-time Password algorithm (HOTP) generating a one-time password by instead taking uniqueness from the current time.
- DUO: Duo two-factor authentication is a security service offered by Duo Security that adds a second layer of security to keep your account secure.
To enable two-factor authentication across a client, log in with administrator credentials.
To enable and activate two-factor authentication across all partner users, log in with partner administrator credentials.
Three unsuccessful attempts for Two-Factor authentication redirects to the login page.
Enable two-factor authentication
Depending on the authentication scope, use one of the following enablement procedures:
- Enable two-factor authentication for accounts
- Enable two-factor authentication for clients
- Enable two-factor authentication for users
Enable two-factor authentication for accounts
Enable two-factor authentication for an account from the My Profile page. When you are done, select from the available two-factor authentication methods the next time you log in.
- On the My Profile page, select Setup > Account Management > Partner Details.
- Navigate to the Account Information section.
- Click ON to enable two-factor authentication.
At any time, click OFF to disable the two-factor authentication.
Enabling two-factor authentication for an account does not enable two-factor authentication for clients.
Enable two-factor authentication for clients
Enabling two-factor authentication for a client automatically enables two-factor authentication for users in the organization.
- Select Setup > Accounts > Clients.
- In the CLIENTS dialog, select the client name.
- In the CLIENT DETAILS dialog, navigate to the Authentication Mechanism section.
- Click Enable to enable two-factor authentication. A check mark confirm enablement.
To disable two-factor authentication for a client, click Disable in the Authentication Mechanism section for the client. If you are a partner administrator with two-factor enabled and activated, reauthentication is done before deactivating any user. This eliminates session hijacking and other security issues.s
Enable two-factor authentication for users
A partner administrator can enable and activate two-factor authentication for users to provide high-level account security.
- Select Setup > Accounts > Users.
- In the USERS dialog, select one or more users.
- In the Actions drop-down menu, select Enable Two-Factor.
- Confirm the operation by clicking Yes. The Two-Factor column on the USERS page displays a check mark.
After enabling two-factor authentication for users, you can manually activate the two-factor key for those users using the Activate Key dialog. If you do not activate two-factor authentication, the user receives a prompt to activate two-factor authentication when they next log in.
Activate two-factor authentication
Following two-factor authentication enablement, you need to activate two-factor authentication.
Follow the applicable steps for the authentication mechanism selected for the user.
- Go to Setup > Accounts > Users and select a user. Two-factor authentication should indicate disabled or OFF.
- Toggle two-factor authentication to ON.
- Click Activate.
- In the Activate Two-Factor Authentication dialog, select from the authenticator mechanism and follow the steps, below.
Reauthentication is required after performing one of the following actions:
- Modifying the Partner Details page.
- Deactivating two-factor authentication.
YUBICO authenticator activation
YUBICO Authenticator – A YubiKey is a small hardware device that offers two-factor authentication with a simple touch of a button.
Select YUBICO Authenticator.
Insert the YubiKey.
Touch the YubiKey button. A 44-character, one-time password is generated:
TOTP authenticator activation
TOPTP Authenticator – Time-based One-time Password Algorithm (TOTP) is an algorithm that computes a one-time password from a shared secret key and the current time.
Before activating a TOTP authenticator, install a third-party application that supports TOTP on your smartphone. The application generates login passcodes and can receive push notifications for one-tap authentication.
The following applications support TOTP: - Google Authenticator - Windows Authenticator - DUO Authenticator - Authy Authenticator
Select TOTP Authenticator.
Configure the account in your two-factor authentication application
Add your account by scanning the verification barcode.
Enter the 6-digit verification code generated by the authenticator application.
Deactivate two-factor authentication
After activating the two-factor authentication, the Activate Two-Factor Key option is displayed in the Actions drop-down menu.
Click Disable Two-Factor Key to disable two-factor authentication for a user.
If you are a partner administrator with two-factor authentication enabled and activated, your two-factor key is reauthenticated before deactivating and disabling any user. This prevents session hijacking and other threats.
Log in using two-factor authentication
If two-factor authentication is activated for your account, you are required to take the step of providing a passcode after entering your username and password.
On three failed attempts to enter the correct passcode, you are routed to the login page to reenter your username and password.
Log in using YubiKey
- Insert the YubiKey into the USB port on the device.
- Log in using your username and password credentials.
- After you log in, in the YubiKey login, touch the YubiKey button. A 44-character, one-time passcode is generated.
Log in using TOTP
TOTP login requires a smartphone to log in.
- Log in using your username and password credentials.
- Enter the 6-digit scanned verification code. The code expires after 60 seconds before generating a new verification code. Log in is successful.
Lost two-factor key
The administrator can use the following steps to find the owner of a lost two-factor key.
- Select Setup > Accounts > Look Up Two-Factor Key.
- Touch the YubiKey button to generate a 44-character, one-time password.
- Click Lookup User.
User details are displayed, including name and username.