Skip to main content

User management

Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA)

Introduction

Two-factor authentication (2FA), often also called multifactor authentication (MFA) is a second authentication step requiring the user to confirm his identity via a PIN usually sent per SMS, per mail or to a TOTP mobile application.

Before going into more details, we need to clarify that the 2FA process need to be provided always by the system, which doing the authentication process. This is Flexopus in case the users are using the standard Flexopus email and password login process. However, in case you configured an identity provider (IdP) for single sign on, then the 2FA process is provided by the identity provider such as Microsoft, Google Okta etc. In case you use SSO, set the 2FA settings directly in the admin dashboard of your identity provider.

In case you use the standard Flexopus email and password based login, you can enforce the users to use a TOTP based 2FA.

TOTP configuration

The users can install an application (such as Google authenticator, Microsoft Authenticator, TOTP Authenticator, andOTP, FreeOTP, FreeOTP+) on their private or business mobile devices. Flexopus can be protected with a two-factor authentication by registering the application on one of the mentioned applications. To do this, the Flexopus server and the end device exchange a secret or token by scanning a QR code with the mobile device or manually typing in a corresponding string displayed by the security server.

If the user now wants to use Flexopus, he is prompted - after entering his or her username and password - to enter a one-time password generated by the app as a second factor for authentication. This is typically a 6-digit code.

Configuration manual

Navigate as an administrator in Flexopus to Dashboard > Settings > Authentication and scroll down to the Two-factor authentication settings.

2FA Settings

Here, you can find three possible settings:

Individually
Users can individually decide for themselves whether they want to configure 2FA or not. This is the standard setting. The users can configure the 2FA in their profile settings individually.

Every user
All users are required to configure 2FA. In case 2FA is not configured yet, Flexopus will ask the users to configure the 2FA with TOTP after next login attempt. This is then mandatory for all users.

Only Adminstrators
Only the administrative users with access to the dashboard have to configure 2FA, the normal users can decide individually. 

💡
NOTE: The 2FA setup only applies to the users if they wish to log in directly with the email and password authentication method. In the case of an externally connected singe-sign-on (SSO) service, the 2FA should be provided by the external identity provider (IdP).

Reset 2FA for a user

If a user can no longer log in with 2FA and has not saved the recovery codes, an administrator can reset the 2FA configuration of the respective user. 

Log in to Flexopus as an administrator and go to the Dashboard > Users > All Users and select the affected user. Select the Profile Settings tab and look for the setting option Two-factor authentication. Here you can reset the 2FA settings of the respective user with the Turn off 2FA button. The user can then set up 2FA again.

R0097