Two-factor authentication

Configuring the email verification method

If email verification is chosen, users will need to use the security code generated via email as the second verification during the logon process.

Prerequisite: To configure email verification as an authentication method, email server settings have to be configured beforehand. Find the steps to configure an email server here.

Enable email verification by following these steps:

• Select Admin from the applications drop-down menu at the top.
• Go to Administrative Settings > Logon Settings and toggle on Enable two-factor authentication.
• Under Email Verification, select the Enable Email Verification check box.
• Add the email Subject and Message using macros.
• Click Save.

Note: A test email will be generated by DataSecurity Plus as soon as 2FA is configured using email verification. Check the email and make necessary changes to the settings if required.

Configuring the Google Authenticator verification method

If Google Authenticator is chosen, users will need to use the security code generated by the Google Authenticator mobile application as the second verification during the logon process.

Prerequisite: To configure Google Authenticator as an authentication method, download and install Google Authenticator on your mobile device from Google's website. Find the mobile devices supported by the Google Authenticator application here.

Enable Google Authenticator verification by following these steps:

• Select Admin from the applications drop-down menu at the top.
• Go to Administrative Settings > Logon Settings and toggle on Enable two-factor authentication.
• Under Google Authenticator, click the Enable Google Authenticator button.
• Click Save.

Log on to DataSecurity Plus for the first time via Google Authenticator by following these steps:

• Open the DataSecurity Plus web console.
• Enter the appropriate user credentials.
• Select Google Authenticator as the preferred second verification method.
• Scan the QR code displayed using your Google Authenticator mobile application to create a separate account for DataSecurity Plus.
• A secret code will be displayed. Enter the secret code generated on your mobile device into the DataSecurity Plus web console to log on.

Configuring the Duo Security verification method

If Duo Security is chosen, users will need to use the security code generated by the Duo Security mobile application as the second verification during the logon process.

Prerequisites:

• To configure Duo Security as an authentication method, download and install the Duo Security application on your mobile device from Google Play.
• Retrieve the security details required for configuring it as a verification method from the Duo Security application by following these steps:
  • Log on to the Duo Security application using your Duo Security credentials.
  • Go to the Applications section on the left pane and click Protect an Application.
  • Under Application, select Web SDK and click Protect.
  • Copy the Integration key, Secret key, and API hostname.

Enable Duo Security verification by following these steps:

• Select Admin from the applications drop-down menu at the top.
• Go to Administrative Settings > Logon Settings and toggle on Enable two-factor authentication.
• Under Duo Security, select the Enable Duo Security check box.
• Fill in the Integration Key, Secret Key, and API Host Name retrieved from the Duo Security application.
• Choose the appropriate Username Pattern.
• Click Save.

Note: If an enrolled user is deleted in Duo, it is also mandatory to remove the user's enrollment in DataSecurity Plus.

Managing authentication modes

In DataSecurity Plus, users can configure multiple second verification modes to assist with their logons. In such cases, during their first logon after enabling 2FA, users will be asked to choose the verification method they want from the methods already configured.

Users can also change their preferred authentication method that they want to use by default during every logon by following these steps:

• Click the drop-down next to your profile picture in the top-right corner of the window.
• Go to Two-Factor Authentication > Modify Authentication mode.
• Choose the authentication method you prefer.
• Complete the initial verification for the chosen authentication method.

From now on, the user will be redirected to their chosen second verification mode during logon.

Users will be unable to change their preferred authentication mode without logging on. In cases where the user has issues with obtaining a security code via their preferred authentication method and also does not have a valid backup verification code available, they will have to contact the admin to reset their second authentication mode. Only then will they be able to log on.

Admins can reset the second authentication mode for users by following these steps:

• Open the DataSecurity Plus web console.
• Select Admin from the applications drop-down menu at the top.
• Go to Administrative Settings > Logon Settings.
• Use the Enrolled Users link in the bottom-right corner of the table.
• Select the user whose second authentication method you want to reset and click the delete icon.
• Click Save.

Using backup verification codes

A backup verification code can be used to log on when a user cannot access their mobile phone or has issues retrieving their security codes. It is advisable to maintain a copy of the backup verification codes in a safe, secure location.

Prerequisite: To set up backup verification codes, at least one 2FA method must have been successfully configured. Find the list of the available second verification methods and the relevant steps here.

Enable the use of backup verification codes by following these steps:

• Select Admin from the applications drop-down menu at the top.
• Go to Administrative Settings > Logon Settings.
• Toggle on Enable two-factor authentication.
• Select the Backup Verification Code check box.

Generate new backup verification codes by following these steps:

• Click the drop-down next to your profile picture in the top-right corner of the window.
• Go to Two-Factor Authentication > Manage Backup Verification Codes. This will open the Manage Backup Verification Codes window, which will list the backup verification codes.
• Users can download the codes as a text file, print them, or send them in an email. It is vital to store the copies of the backup codes in a secure location.
• Click Save.

Note: Each backup verification code can be used only once to log on. Generate a new set of codes when you exhaust the current list.