Setting up Two-Factor Authentication (TFA) - Google Authenticator

  1. Overview
  2. Sequence of Events
  3. Configuring Two-Factor Authentication
  4. Enforcing Two-Factor Authentication for Required Users
  5. Connecting to KMP Web Interface when TFA via Google Authenticator is Enabled
  6. Troubleshooting Tip

1. Overview

Google Authenticator is a software-based authenticator app developed by Google. Google authenticator generates a six-digit code for every 30 seconds which the users must enter as the second factor of authentication.
After setting up Google Authenticator as the second factor of authentication in Key Manager Plus, the users will have to enter the user credentials, followed by this six-digit code. Here’s how to configure and use the Google Authenticator app with Key Manager Plus.

2. Sequence of Events

Here's the sequence of events involved in using Google Authenticator as the second level of authentication to login to Key Manager Plus:

  1. A user tries to access Key Manager Plus web-interface.
  2. Key Manager Plus authenticates the user through Active Directory/LDAP/SAML/ locally (first factor).
  3. Key Manager Plus prompts for the second factor credential through Google Authenticator.
  4. Enter the six-digit token that you see on the Google Authenticator app GUI.
  5. Key Manager Plus grants the user access to the web-interface.

3. Configuring Two-Factor Authentication

  1. Navigate to Settings >> Other Settings >> Two-Factor Authentication. 
  2. Choose Google Authenticator and click Save.
g-tfa-1

 

4. Enforcing Two-Factor Authentication for Required Users

  1. Once you confirm Google Authenticator as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom Two-Factor Authentication should be enforced.
  2. You can Enable or DisableTwo-Factor Authentication for a single user or multiple users in bulk from here.
    1. To enable Two-Factor Authentication for a single user, click Enable beside the respective user.
    2. For multiple users, select the required users and click Enable at the top of the user list.
    3. Similarly, you can also Disable Two-Factor Authentication from here.

      enable-tfa
  3. You can also enable or disable Two-Factor Authentication while adding or editing a user from Settings >> User Management >> Users.
user-tfa

 

5. Connecting to KMP Web Interface when TFA via Google Authenticator is Enabled

Prerequisite

To use google authenticator as the second factor of authentication, you should first install Google Authenticator app in your smart phone or tablet. Google officially supports Android, iPhone, iPad, iPod Touch and BlackBerry devices. Detailed instructions to install the Google Authenticator app is available on Google's website.

Connecting to Key Manager Plus Web Interface

The users for whom Two-Factor Authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Key Manager Plus's local authentication or AD/LDAP/SAML authentication. If the administrator has chosen the TFA option Google Authenticator, the Two-Factor Authentication will happen as detailed below:

  1. Upon launching the Key Manager Plus web-interface, the user has to enter the credentials(local authentication or AD/LDAP/SAML) to log in.
  2. Associating Google Authenticator with your account in Key Manager Plus: When you are logging in for the first time after enabling TFA through Google Authenticator, you will be prompted to associate it with your account in Key Manager Plus.
  3. First, launch the Google Authenticator app on your mobile device/tablet and choose the '+' button.
    1. Select Scan a QR code and point your device to the QR code shown in the GUI.
    2. This will automatically configure Google Authenticator to start generating authentication codes for Key Manager Plus.
  4. If you have trouble scanning the QR code, the automatic setup will not work. Alternatively, you can carry out the following manual steps in the Google Authenticator app on your device:
    1. Select I have trouble scanning this QR code from the GUI.
    2. Now, choose to Enter a setup key.
    3. Enter the Account name for your Key Manager Plus account in this format - <KMP:user@mailid>.
      (Example: KMP:john@abc.com)
    4. Supply the alphanumeric string as the key and choose Time Based under Type of Key.
    5. Click Add.
    6. Google Authenticator is now set up and it will start generating codes periodically for Key Manager Plus.
  5. After completing this, you can enter the current code to continue logging into Key Manager Plus and click Submit.

 6. Troubleshooting Tip

As mentioned earlier, Google Authenticator is associated with your Key Manager Plus account. If you ever lose your mobile device/tablet OR if you accidentally delete the Google Authenticator app on your device, you will still be able to get tokens to log in to Key Manager Plus. In such scenarios,

  1. Log in to Key Manager Plus by mentioning the Username and Password.
  2. Click the link Having trouble using Google Authenticator? in the Key Manager Plus login screen.
  3. You will be prompted to enter your Key Manager Plus Username and the Email address associated with Key Manager Plus.
  4. You will receive instructions to get Google Authenticator again via the above mentioned Email.
Top