As an administrator, how do I handle the two-factor authentication (2FA) of my Flexopus instance?

In this article you will learn how to manage two-factor authentication (2FA) to increase the security of your instance.

Content:

Note: You are a user and would like to learn how to use 2FA? Here you will find more information on this! 

What is 2FA?

Two-factor authentication (2FA), often also called two-factor authentification, refers to the proof of identity of a user by means of a combination of two different and, in particular, independent components (factors). Typical examples are in web applications after a password and email combination (first factor):

  • PIN entry sent by SMS
  • PIN entry sent by E-Mail
  • TOTP process

TOTP process
Users install an app on their mobile device that is used for two-factor authentication for one or more web-based services. Then a web-based service can be protected by two-factor authentication by registering the app with the service as a second factor. To do this, the security server of the service and the end device exchange a string as a secret or token - e.g. by scanning a QR code with the mobile device or manually typing in a corresponding string displayed by the security server. After this first step, the secret is ideally only known to the security server and the user's personal device and should never leave this medium. After a functional test, the web service activates the two-factor authentication for the user account.

TOTP usage
If the user now wants to use the web-based service, he or she is prompted - after entering his or her user name and password - to enter a one-time password generated by the app as a second factor for authentication.

There are several apps for two-factor authentication via TOTP:
Google Authenticator, Microsoft Authenticator, andOTP, FreeOTP, FreeOTP+, etc...

2FA (two-factor authentication) is often also called MFA (multi-factor authentication). 

Enforce 2FA for all users as an administrator

You can find the settings for 2FA as Flexopus administrator under Settings > Authentication > Two-factor-authentication. Here you can enforce the following settings for users:  

  • Individual
    Users can individually decide for themselves whether they want to configure 2FA.
  • Every User
    All users are required to configure 2FA.
  • Only Administrators
    Only the administrative users with access to the dashboard have to configure 2FA, the normal users can decide individually. 

NOTE: A TOTP 2FA procedure set up at Flexopus is only required from the user if they wish to register directly with email and password. In the case of an externally connected Singe-Sign-On (SSO) service, the 2FA should be provided by the external Identity Provider (IDP).

How can I reset the 2FA for a user as an administrator?

If a user can no longer log in with 2FA and has not saved the recovery codes, an administrator can reset the 2FA configuration of the respective user. 

You can do this as follows:

  1. Log in to Flexopus as an administrator and go to the Dashboard > Users > All Users and select the affected user.
  2. Select the Profile Settings tab and look for the setting option "Two-factor authentication". Here you can reset the 2FA settings of the respective user with the "Turn off 2FA" button. The user can then set up 2FA again.

2FA for Single Sign On Login (SSO)

The provided 2FA configuration option of Flexopus only accesses the login attempts with email and password through Flexopus. If you have already configured a Single Sign On provider, then the 2FA must be provided by the respective Identity Provider (IdP). Please make sure that the 2FA settings at your IdP (e.g. Azure AD, ADFS, Google, Okta and Co.) are set correctly. 

The authentication of users is provided externally by the IdP as a service to our application. The 2FA is an authentication step and therefore part of the Single Sign On process.

R0097