At line 1 changed one line |
In CrushFTP version 9 we can integrate our One Time Password (__[OTP|OTP Settings]__) based authentication feature with Google's software based token device __Google Authenticator__ , using Time based OTP (TOTP). The server provides a 80-bit secret key , on a per user basis, as a QR code, that can be imported using Authenticator's QR reader.\\ |
In CrushFTP version 10 we can integrate our One Time Password (__[OTP|OTP Settings]__) based authentication feature with Google's and Microsoft's software-based token device __Google Authenticator__ and __Microsoft Authenticator__, using Time based OTP (TOTP). The user can register a QR code into Google Authenticator or Microsoft Authenticator app.\\ |
At line 3 changed 2 lines |
!!!Server side configuration\\ |
Will need to enable one of our __[OTP|OTP Settings]__ methods, using SMS or Mail based OTP, and enable the __Validated logins__ checkbox. The user needs to be able to log in at least once, using conventional __[OTP|OTP Settings]__.\\ |
!!Server side configuration\\ |
You will need to enable one of our __[OTP|OTP Settings]__ methods, using SMS or Mail based OTP, and enable the __Validated logins__ checkbox. The user needs to be able to log in at least once, without OTP, or with the other __[OTP|OTP Settings]__ settings.\\ |
At line 12 changed one line |
and enable the __QR code generator__ in it's __User Options__ menu\\ |
and enable the two factor __QR code generator__ which will appear in the user's __User Options__ menu when they are logged in.\\ |
At line 16 added 2 lines |
!!Client / token device configuration\\ |
The user will need to log in normally, generate the QR code from the client UI __User Options__ menu.\\ |
At line 17 changed one line |
!!!Client / token device configuration\\ |
[attachments|servercfg004.png]\\ |
At line 19 changed one line |
The user will need to log in using conventional __[OTP|OTP Settings]__, generate the QR code form the client UI __User Options__ menu.\\ |
Then open __Authenticator__ on the mobile device, set up a new account, choose to scan barcode, point the device towards the screen, and read in the QR code. Then save the user settings by clicking the __Confirm__ button in the UI. \\ |
At line 21 changed one line |
[attachments|Clipboard05.jpg]\\ |
Google Authenticator\\ |
[{Image src='tokencfg001.png' width='272px' height='..' align='left'}] [{Image src='tokencfg002.png' width='272px' height='..' align='left'}] [{Image src='tokencfg003.png' width='272px' height='..' align='left'}]\\ |
At line 23 changed 3 lines |
Then open __Authenticator__ on the mobile device, set up new account, choose barcode, point the device towards the screen, read in the QR code. Then save the user settings by clicking the __Confirm__ button in the UI. \\ |
\\ |
[{Image src='tokencfg001.png' width='272px' height='..' align='left'}][{Image src='tokencfg002.png' width='272px' height='..' align='left'}][{Image src='tokencfg003.png' width='272px' height='..' align='left'}]\\ |
Microsoft Authenticator\\ |
[{Image src='IMG_2500.jpg' width='272px' height='..' align='left'}] [{Image src='IMG_2501.jpg' width='272px' height='..' align='left'}] [{Image src='IMG_2502.jpg' width='272px' height='..' align='left'}]\\ |
At line 27 changed one line |
__!!WARNING:__ the QR code is valid for one minute, if missed the time window, will need to generate new, or it will not save. Will need to incadrate within this time frame to generate the QR code, read it in by Authenticator and save the user settings.\\ |
__WARNING:__ the QR code is valid for one minute, if the time window is missed you will need to generate new, or it will not save. Once a secret key has been saved from the QR code, and confirmed, it can only be reset by a server administrator. It's a one-time process.\\ |
At line 33 added 32 lines |
!!Possible scenarios regarding the cooperation of admin and the end-user: |
|
Prerequisites: |
|
-a working Google Authenticator app on a mobile device\\ |
-in the User Manager -> user -> Webinterface -> Available customizations section the "Enable two factor registration" is set to True. This can be enabled on the "default" template account or on the group template account so all other users will inherit the setting from the template user.\\ |
-on Preferences -> General Settings -> OTP section the "Validated Logins" option must be enabled (A on the first screenshot)\\ |
-for the 2nd option the user account has to be configured with an email address. Also, the server needs to have a working SMTP relay configured on Preferences -> General Settings -> SMTP section. |
|
|
1. This is the easiest method for the admin. |
The option of "Google Authenticator Auto Enable" on Preferences -> General Settings -> OTP section is enabled (B on the first screenshot). |
In User Manager the "Two factor OTP/SMS authentication" option is disabled. |
|
The end-user logs in with username and password, and initializes the "Setup of 2 factor auth" via the User Options button, scans the QR code, and hits the Confirm button. |
In the background, CrushFTP writes the Two factor authentication Secret to the user account and takes care of enabling the "Two factor OTP/SMS authentication" option for the user. |
|
2. |
The option of "Google Authenticator Auto Enable" on Preferences -> General Settings -> OTP section is left in disabled state. |
In User Manager the "Two factor OTP/SMS authentication" option is enabled by the admin. |
|
The end-user enters its username and password on the login page. A popup will be prompted asking for the email-based token, then the user is allowed to log in and initialize the Setup of 2 factor auth via the User Options button. Next time won't get an email, and at the token popup enters the 6-digit code generated by Google Authenticator. |
|
3. |
The option of "Google Authenticator Auto Enable" on Preferences -> General Settings -> OTP section is left in disabled state. |
In User Manager the user doesn't have the "Two factor OTP/SMS authentication" option enabled |
|
The end-user logs in with username and password, and initializes the Setup of 2 factor auth via the User Options button, scans the QR code, and hits the Confirm button. |
In the background, CrushFTP writes the Two-factor authentication Secret to the user account, but the Admin needs to activate the "Two factor OTP/SMS authentication" option for the user. |
|
|
__[DMZ|DMZ]__ - Main node scenario: on Preferences -> General Settings -> OTP section the "Validated Logins" option must be enabled on the DMZ node, so the DMZ gives the two-factor authentication to the Main node. |