We often receive support requests asking how to enable Two-Factor Authentication (2FA) in addition to AD Authentication. This is a straight forward process and the 2FA options can be used with Single-Sign-On (SSO), Manual AD Authentication and even with Local Passwordstate Accounts.
Background
There are a couple of approaches that can be used to set this up. For the examples in this week’s blog I’m going to be using the Google Authenticator App from an iPhone and a Local Passwordstate Account. These examples will work equally well with AD Accounts, the only difference being the required Authentication Options under Administration->System Settings->authentication options->Choose Authentication Option.
I normally choose SSO (Passthrough AD Authentication) for the System Wide Authentication setting, as I quickly jump in and out of my Passwordstate Sandpit environment. For the purpose of doing this blog I’ve dropped back to Manual AD Authentication as I’m logging into Passwordstate with 2 accounts from the same computer.
Create a User Account Policy for 2FA with Google Authentication
Using a User Account Policy is a great way to both test the 2FA configuration as well as making it easier to rollout across your intended users.
Navigate to Administration->User Account Policies and click Add to create a new Policy. Give the policy a name and description and select the Authentication method you want to assign at A6. In the example blow I’ve used Manual AD and Google Authenticator, then click Save at the bottom of the page,
Apply the User Account Policy to Users
Next, you’ll need to apply the newly created User Account Policy to Users. Select the Action button next to the Policy Name, click and select Apply Policy to Users,
Now select the users you want to apply this User Account Policy to. In the below example I’m using a single account for testing purposes. Once you happy it’s working you can go back in and apply it to Security Groups as required
Now when I log into Passwordstate for the first time after the policy has been applied, I’ll be presented with a normal login screen,
And on clicking on logon will be presented with,
I now need to use the Google Authenticator App and select the + symbol to add an Authenticator, pick Scan barcode and place the QR code that is presented above within the onscreen frame. This will then setup the Authenticator and present back the PIN code that needs to be entered.
Simply enter this in the Google Verification Code and click Login.
Once you’re happy you can Apply the User Account Policy to the required Security Groups to rollout the policy.
Using SSO with 2FA & Google Authentication
As stated at the beginning you can use 2FA with both SSO (Passthrough AD Authentication) and Manual AD Authentication. The only differences being that with SSO you only need to ensure your System Wide Settings under Administration->System Settings->authentication options->Choose Authentication Option is set to Passthrough AD Authentication, and the Authentication Option you specify at Setting A6 in your User Account Policy is set to just Google Authenticator as per the below image;
This will in effect Prompt for your Google Authenticator credentials during the Passthrough Process. It is highly recommended that you don’t roll this configuration out to all users as it defeats the purpose of having SSO. Rather you should reserve it for those users that have access to highly privileged password credentials or those accounts associated with considerable impact if the credentials were stolen or misused.
As always, we welcome your feedback via support@clickstudios.com.au.