Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
2fa [2019_09_23 16:22] – created jim2fa [2024_02_28 01:03] (current) – external edit 127.0.0.1
Line 1: Line 1:
-======Two-Factor Authentication (2FA)======+Two-Factor Authentication (2FA)
  
-The Enterprise File Fabric supports two-factor authentication. This can also be referred to as two-step verification or dual factor authentication.+#### last updated on: Feb 14, 2023
  
-2FA is a security process in which the user provides two different authentication factors to verify themselves to better protect both the user's credentials and the resources the user can access+Access Anywhere Server supports two-factor authentication (2FA). This is sometimes referred to as two-step verification, dual factor authentication, or multi-factor authentication.
  
-If 2FA is turned then users first login with their password before then being issued a secondary authentication challenge.+2FA is an additional security process in which a user provides two different authentication factors to verify themselves when logging in to better protect the resources the user can access.  If 2FA is enabled then users first login with their passwords and are then issued a secondary authentication challenge.
  
-Two Factor Authentication can be turned on for all team users of a File Fabric by the File Fabric Administrator from the Org Policies section+Note that 2FA is set at an account level so can be used to protect storage resources that do not support 2FA by default.
  
-The options for 2FA are:+2FA can be configured for individual users (accounts) or at an organization level.
  
-- Email 
-- Nominated password 
-- Google Authenticator TOTP (also works with Microsoft Authenticator) 
  
-Once turned on users will have to login as normal and will then receive the second challengeThis will work from web, desktop and mobile apps.+### External Users 
 + 
 +Setting 2FA for an organization doesn't enable 2FA for external users tied to that organization. This can be enabled for each account by the Appliance Admin. 
 + 
 + 
 +===== Organization Level Setup ===== 
 + 
 +Two Factor Authentication can be turned on for all of a organization' members and for the org. admin by the org. admin from the Security tab of the Policies page: 
 + 
 +{{ ::2fa:2fa_no_qr_code.png?600 |}} 
 + 
 +The protocol adapters [[clouddav|]] and [[cloudftp|]] do not support 2FA. You can optionally disable them from this page for further security. (For this option to be visible the Feature "2FA for API" must be enabled for the User Package.) 
 + 
 +Three types of 2FA are supported.  Select the type you want to use from the pulldown menu: 
 + 
 +{{ ::2fa_dropdown.png?direct&400 |}} 
 + 
 +====Email==== 
 + 
 +===How it Works=== 
 + 
 +On each login attempt the user will have to enter a timed one-time password.   
 +{{ :email_challenge.png?direct&400 |}} 
 +The password will be emailed automatically to the email address associated with her Access Anywhere account. Each login requires a new one-time password. 
 + 
 +===Set-Up=== 
 + 
 +The only set-up required is selecting this choice and saving the change. 
 + 
 +====Phrase==== 
 +===How it Works=== 
 +When each user logs in for the first time after phrase based 2FA has been enabled, they will have establish a phrase to be entered on subsequent logins: 
 + 
 +{{ :phrase_setup.png?direct&400 |}} 
 + 
 +On each subsequent login attempt the user will be challenged to enter the phrase: 
 + 
 +{{ :phrase_challenge.png?direct&400 |}} 
 + 
 +If an org. member forgets his phrase then he will no longer be able to log in to his account until the orgadmin intervenes. 
 + 
 +===Set-Up=== 
 + 
 +As the org. admin you can both turn on phrase based 2FA for the org. and set up the phrase for your account.  Enter the  phrase that you will use when logging in to your own org. admin account and record this phrase in a safe place.  You will be required to enter it to log in to your account.  If you lose the phrase you will not be able to log in to your org. admin account until the Access Anywhere appliance administrator (appladmin) intervenes. 
 + 
 +====Authenticator App (TOTP)==== 
 +===How it Works=== 
 +On each login attempt the user will be have to enter a timed one-time password (TOTP) that has been generated by an app such as Google Authenticator on her phone. 
 + 
 + 
 +{{ :totp_challenge.png?direct&400 |}} 
 +===Set-Up=== 
 + 
 +If the org. admin selects "Authenticator App" then a secret string and a QR code for the org. admin's  
 +account will appear on the Security web page: 
 + 
 +{{ :totp_setup.png?direct&400 |}} 
 + 
 +The QR code and the secret string are functionally equivalent.  Either can be provided to a TOTP application such as Google Authenticator to enable the application to generate TOTPs for the org. admin's account. If you lose the phrase you will not be able to log in to your org. admin account until the Access Anywhere appliance administrator (appladmin) intervenes. 
 + 
 +On each user's first login after TOTP 2FA has been turned oneach user will have to download or save their own individual QR code or secret.   On each subsequent login the user must enter the TOTP for their account to complete the login process. If an org. member forgets his phrase then he will no longer be able to log in to his account until the org. admin intervenes. 
 + 
 +Android / iOS Apps that support TOTP include Google Authenticator, Microsoft Authenticator and Twilio Authy. 
 + 
 +=====Individual User Setup===== 
 + 
 +If 2FA has not been activated for the organization then each user has the option of setting up 2FA for his/her own account.   
 + 
 +{{ ::2fa_dashboard.png?direct&400 |}} 
 + 
 +The choices, setup and use are the same as those described in the previous section. 
© Copyright 2024 Nasuni.