Two-factor authentication (2FA) is an additional security step that's designed to help strengthen an account and prevent others from accessing it, even if your password becomes compromised. Two-factor authentication requires verifying the identity not only with an e-mail address and password but also by generating a so-called one-time password (OTP), which is only valid for a short amount of time. A valid one-time password can be generated by a mobile device that you registered for this service.
This article describes the following:
- Enable two-factor authentication for the logged-in user account
- Enforce two-factor authentication for a group of user accounts
- Disable two-factor authentication for the logged-in user account
- What to do when a mobile phone or the backup codes are lost
Enable two-factor authentication for the logged-in user account
Enabling two-factor authentication requires an authenticator app, e.g. Google Authenticator or Twilio Authy. This can be downloaded and installed from Google Play Store (Android phones) or Apple Store (iOS phones). Two-factor authentication can be configured with the option Two-factor authentication under Account > My profile > Login and security > Signing in. When the option Two-factor authentication is selected, a pop-up window opens, to enable the option. To start generating codes for IXON Cloud, the QR-code has to be scanned with an authenticator-app and the first one-time password needs to be entered. The pop-up window also contains a link to Google Authenticator as an example of an authenticator-app.
An e-mail containing backup codes will be sent after setting up two-factor authentication. It is strongly advised to print or save these in a secure location. To generate new backup codes, the option Two-factor authentication can be disabled and enabled again.
Warning
When access to the authenticator app has been lost and backup codes have been lost too, access to the IXON Cloud account will be lost permanently. This will prevent a user from using the IXON Cloud with that specific e-mail address. One method preventing this problem is to use an authenticator-app that can be installed on multiple devices and can synchronize the 2FA accounts, e.g. Twilio Authy.Notes
- If it is not possible to scan a QR code, the authenticator-app is also able to accept a 16-digit code instead. This can be generated by selecting I can't scan a QR code.
- An authenticator app doesn't need an internet connection to generate a one-time password (OTP).
- Besides logging in with a password, it is also possible to use Single Sign-On (SSO) and log in with a Google or Microsoft account. When using Single Sign-On, both the password and the configured two-factor authentication will not be used. Instead, two-factor authentication has to be configured on the Google or Microsoft account.
- Even when only Google or Microsoft authentication is used, the IXON Cloud email/password login method is still available and can be used to log in. It is advisable to always use strong passwords.
- After disabling two-factor authentication, an email will be sent to confirm the action. Only after clicking on the link in the e-mail, two-factor authentication is disabled.
Enforce two-factor authentication for a group of user accounts
Two-factor authentication can only be enabled on a group when it is enabled for the currently logged-in user account. So, if it is not enabled yet, enable two-factor authentication for the currently logged-in user account first. See the paragraph above on how to enable this.
To enable two-factor authentication for a group of user accounts, select a role under Admin > Roles > Roles and enable the option Enforce two-factor authentication. When the user now tries to log in a message will be displayed that two-factor authentication is required with the option to enable it.
Two-factor authentication is only enabled for the user after they have logged in. For users who have not yet logged in, two-factor authentication is still shown as off in the user overview.
Warning
Unchecking the option Enable two-factor authentication will not disable two-factor authentication on a user account. Two-factor authentication can only be disabled by the logged-in user account itself by disabling the option Two-factor authentication under Account > My profile > Login and security > Signing in and confirming the action by clicking on the link in the e-mail.Disable two-factor authentication for the logged-in user account
Two-factor authentication can be disabled by selecting the option Two-factor authentication under Account > My profile > Login and security > Signing in. A pop-up window will open with the option Turn off. After disabling two-factor authentication, an e-mail will be sent to confirm the action. Only after clicking on the link in the e-mail, two-factor authentication will be disabled.
What to do when a mobile phone or the backup codes are lost
Lost mobile device
If access to the mobile device is lost, e.g. stolen, broken, or lost, the backup codes, that were received by e-mail when two-factor authentication was enabled, are needed to log in. After logging in, an authenticator app on another device can be used by disabling and enabling two-factor authentication with the option Two-factor authentication under Account > My profile > Login and security > Signing in.
Lost backup codes
If the backup codes are lost, new codes can be generated by disabling and enabling two-factor authentication. If two-factor authentication is enabled, new backup codes will be sent by e-mail.
Lost mobile device and backup codes
When access to the authenticator app has been lost and backup codes have been lost too, access to the IXON Cloud account will be lost permanently. This will prevent a user from using the IXON Cloud with that specific e-mail address. One method preventing this problem is to use an authenticator-app that can be installed on multiple devices and can synchronize the 2FA accounts, e.g. Twilio Authy.