Two Factor Authentication (2FA)

Posted on 6th October 2016

What is 2FA?

Two factor authentication is a security feature that typically requires the user to provide a second factor when logging in.  i.e. they must provide something they have, in conjunction with something they know before they are authenticated successfully.  2FA improves assurance of knowing that user A logged into a system, actually is user A, and not another person that may have simply obtained their network credentials.

In the use case with Foldr, something the user knows is their Active Directory username and password.  Something they have is an ever changing time-based one-time password (TOTP / OTP) delivered via a third party application.  The third party application in this case being an authenticator app installed on a smartphone or tablet.

The OTP based two factor authentication mechanism used in Foldr v4 has been adopted by many of the leading software vendors as a robust method of authenticating users; more information on the TOTP algorithm is available here.

This feature enables the administrator to require selected individuals or groups of users to comply with the 2FA requirement at login before they are granted access to resources via Foldr.  2FA can be made optional or enforced upon users depending on local security policy.  If 2FA is optional a user can enable it within ‘Security Settings’ when logged into the Foldr web app.  A user is always required to enter their username and password when enabling or disabling this feature.

To use the 2FA feature with Foldr, the recommended method of generating the user’s one time passwords is by using an authenticator app on a smartphone.  There are numerous free apps that provide this facility for all major mobile platforms, however two that work well are Authy and Google Authenticator:

If a user does not own a compatible device to run an authenticator app, plugins are also available for desktop browsers (for example, Authy is available for Google Chrome)

Enabling 2FA for Users

The administrator can enable 2FA for specific users or groups within Foldr Settings >> Two Factor >> Users & Groups tab.  There are two possible deployment methods – required (enforced) or optional (user can enabled 2FA through the web or mobile apps at a time of their choosing).

The example below shows enforcing 2FA for all members of the Active Directory security group ‘Marketing’

The next time a user of the Marketing groups signs into Foldr (or interacts with the Foldr interface if already signed in) they will be prompted to enroll.

User Enrolment

The basic process of user enrolment is as follows:

  • User installs their chosen authenticator app on smartphone or tablet
  • User logs into Foldr using Active Directory credentials
  • User scans the QR code of their shared secret using an authenticator app and optionally notes emergency backup code
  • User verifies enrolment by entering 6 digit OTP shown in the authenticator app to complete login
  • User is now enrolled in 2FA

When a user logs into Foldr and 2FA is mandatory, they will be prompted with the enrolment screen.

 

If a user has 2FA configured as optional then the backup code will simply allow the user to log in and 2FA will be disabled until manually re-enabled within Security Settings in the Foldr interface.

To enroll successfully, the user must create an account within their chosen authenticator app, and select SCAN QR CODE.

If the scan QR Code option is not available, you can manually enter the 28 alphanumeric secret shown below the QR code image.

Authy and Google Authenticator screenshots shown below after completing the enrolment process, note the six digit OTP code being shown in each app.

 

The user will now be prompted to enter their OTP each time they authenticate with Foldr.

NOTE – The one-time password changes every 60 seconds (30 second countdown per code within the authenticator app, plus a 30 second grace period).  Due to the fact that the OTP relies upon the current time and the shared secret associated with the user, it is vital that the system clock on the Foldr appliance is correct and remains in sync.

 

Trusted Devices

By default, this setting is disabled, however the administrator can allow users to mark a device as trusted.  Once a user has successfully passed 2FA they can mark the device as a ‘trusted’ by using the checkbox provided.

From this point on they will not be required to enter the OTP code using that device & browser, however, trust status is not linked between web browsers on the same computer.  i.e. If a user marks trust this device in Google Chrome, they will still be forced to enter the OTP in Internet Explorer.

A users trusted devices can be viewed within Security Settings, when logged into the web app.  Trusted devices may be deleted if required.

Granular Trusted Devices (client app type)

The administrator can configure whether each client app type may be configured by group / location within Foldr Settings >> Two Factor >> Devices.  The example below shows trust settings for the iOS app.

Trust settings may be configured individually for web, Windows Desktop, Windows Server, macOS, iOS and Android apps.

Allow Backup Codes

Emergency backup codes are disabled by default, however if enabled, the user will be presented with an emergency backup code that can be used to reset the 2FA status of their account.

The user will then be prompted to re-enroll upon next login.  This feature may be useful if the user loses access to their authenticator app (mobile phone is lost/ stolen).

 

Resetting a user’s 2FA status

Within Foldr Settings >> Two Factor Authentication >> Users an administrator can reset a user’s existing 2FA settings by clicking the reset button next to their username.

When the reset button is clicked, the user is removed from the list and they will be forced to re-enroll at next login if they fall under the mandatory 2FA policy.

Need more help?

Get in touch with our friendly help desk who will be happy to assist you, support@foldr.io