Skip to main content

User management

Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA)

Introduction

Two-factor authentication (2FA), also known as multifactor authentication (MFA), adds an extra layer of security by requiring users to confirm their identity with a PIN, typically sent via SMS, email, or a TOTP (Time-Based One-Time Password) mobile app.

Before we dive into the details, it's important to clarify that the 2FA process is always provided by the system handling the authentication. If users are logging in with the standard Flexopus email and password process, Flexopus itself manages the 2FA. However, if you've configured an identity provider (IdP) for single sign-on (SSO), such as Microsoft, Google, or Okta, the 2FA process will be handled by that provider. In this case, you should configure the 2FA settings directly in your identity provider's admin dashboard.

If you are using Flexopus’s standard email and password-based login, you can enforce the use of TOTP-based 2FA for your users.

TOTP configuration

Users can install a two-factor authentication (2FA) application, such as Google Authenticator, Microsoft Authenticator, TOTP Authenticator, andOTP, FreeOTP, or FreeOTP+ on their private or business mobile devices. Flexopus can be secured with 2FA by registering one of these apps.

To set it up, the Flexopus server and the user’s device exchange a secret or token by either scanning a QR code with the mobile device or manually entering a code provided by the security server.

When the user logs into Flexopus, after entering their username and password, they are prompted to provide a one-time password (OTP) generated by the authentication app as the second step. This OTP is typically a 6-digit code that changes periodically.

Configuration manual

As an administrator in Flexopus, you can enable two-factor authentication by navigating to Dashboard > Settings > Authentication, and then scrolling down to the Two-factor authentication settings section.

2FA Settings

Here are the three possible settings for two-factor authentication (2FA):

  1. Individually
    Users can decide for themselves whether to configure 2FA. This is the default setting, allowing users to set up 2FA in their profile settings at their discretion.
  2. Every user
    All users are required to configure 2FA. If 2FA is not yet set up, Flexopus will prompt users to configure it with TOTP after their next login attempt, making it mandatory for everyone.
  3. Only Administrators
    Only administrative users with access to the dashboard must configure 2FA. Normal users can still decide individually whether to set it up.

💡
NOTE: The 2FA setup only applies to the users if they wish to log in directly with the email and password authentication method. In the case of an externally connected singe-sign-on (SSO) service, the 2FA should be provided by the external identity provider (IdP).

Reset 2FA for a user

If a user is unable to log in with 2FA and has not saved their recovery codes, an administrator can reset their 2FA configuration.

To do this:

  1. Log in to Flexopus as an administrator.
  2. Navigate to Dashboard > Users > All Users and select the affected user.
  3. Go to the Profile Settings tab and look for the Two-factor authentication option.
  4. Click the Turn off 2FA button to reset the 2FA settings for that user.

The user will then be able to set up 2FA again.