Enterprise Recon 2.0.29

Two-factor Authentication (2FA)

Two-factor authentication (2FA) secures user accounts by requiring users to enter an additional verification code when signing in on the Web Console.

See the following topics for more details:

Who Can Enable 2FA for User Accounts

  • All users can enable 2FA for their own user accounts.
  • If 2FA is not globally enforced, all users can disable 2FA for their own user accounts.
  • To enable 2FA on user accounts other than your own, you must be a Global Admin or System Manager.
  • To enforce 2FA for all user accounts, you must be a Global Admin or System Manager.

See User Permissions for more information.

Enable 2FA for Own User Account

As an individual user, you can enable 2FA for your own user account by doing the following:

  1. Log into the Web Console.
  2. Go to the MY ACCOUNT > MY ACCOUNT DETAILS page.
  3. Set the toggle button to On for Two-factor Authentication (2FA). er2-2fa-own-user-account.png
  4. Select Setup 2FA to set up your authenticator device. Otherwise, you will be prompted to set up your authenticator device the next time you sign in.

Enable 2FA for Individual User Accounts

As a Global Admin or System Manager, enable 2FA on a single user account by doing the following:

  1. Log into the Web Console.
  2. Go to the USERS AND SECURITY > USER ACCOUNTS page.
  3. Click Edit for the selected user.
  4. Set the toggle button to On for Two-factor Authentication (2FA) and click Save.
    er2-2fa-set-global-manager.png

The user will be prompted to set up 2FA authentication the next time they sign in.

Enforce 2FA for All Users

As a Global Admin or System Manager, enforce 2FA for all users by doing the following:

  1. Log into the Web Console.
  2. Go to the USERS AND SECURITY > SECURITY AND COMPLIANCE page.
  3. Under the Account Security > Two-factor Authentication section, set the toggle button to On to enforce 2FA for all users.
    er2-2fa-enforce.png

All users will be prompted to set up 2FA authentication the next time they sign in.

Set Up 2FA

To set up 2FA for your user account, you must have a two-factor authenticator app that supports time-based one-time password (TOTP) installed on your mobile device. For example:

  • Google Authenticator
  • LastPass Authenticator
  • Microsoft Authenticator
  • Authy

Once installed, do the following:

  1. In the Web Console, open the Setup Two-factor Authentication dialog box by doing one of the following:
    1. When enabling 2FA for your own user account, click the Setup 2FA button that appears next to the Enable Two-factor Authentication (2FA) toggle button; or
    2. If 2FA has already been enabled but not set up for your user account, you will be prompted to set up 2FA the next time you sign in. When prompted to set up 2FA, click Proceed.
  2. Launch the authenticator app on your mobile device.
  3. In Google Authenticator, Add an account and select Scan a barcode.
  4. Scan the QR Code displayed on the Setup Two-factor Authentication dialog box.
  5. Verify that 2FA has been correctly set up by entering the 6-digit code displayed on Google Authenticator into the Enter Code field.
  6. Click Continue to complete the setup.

The next time you sign in, ER2 will ask you for your 2FA code.

Label Format for 2FA Accounts

From ER 2.0.29, authenticator apps have the following label format for all accounts setup with 2FA.

  1. For user accounts manually added in ER2: Enterprise Recon (<master_server_identifier>) (<user_name>@<master_server_host_name>)
  2. For user accounts imported using the Active Directory Manager: Enterprise Recon (<master_server_identifier>) (<user_name>@<domain>)

For example, Enterprise Recon (117b92a9) (userA@er-master), where

  • 117b92a9 is the unique identifier for a specific Master Server instance. This unique identifier is displayed on the login screen when ER2 prompts you for the 2FA code. er2-2fa-master-server-identifier.png
  • userA is the user name.
  • er-master is the host name for the Master Server instance.

Reset 2FA

As an individual user, you can reset 2FA for your own user account by doing the following:

  1. Log into the Web Console.
  2. Go to the MY ACCOUNT > MY ACCOUNT DETAILS page.
  3. In the Account Information tab, click Setup 2FA to set up your authenticator device again. er2-2fa-reset-own.png

As a Global Admin or System Manager, reset 2FA for single user account by doing the following:

  1. Log into the Web Console.
  2. Go to the USERS AND SECURITY > USER ACCOUNTS page.
  3. Click Edit for the selected user.
  4. In the User Information tab, click Reset 2FA for the user to set up the authenticator device again.
    er2-2fa-reset.png
  5. Click Save.