Setting up Two-Factor Authentication (TFA) - Microsoft Authenticator

  1. Overview
  2. Sequence of Events
  3. Configuring Two-Factor Authentication
  4. Enforcing Two-Factor Authentication for Required Users
  5. Connecting to KMP Web Interface when TFA via Microsoft Authenticator is Enabled
  6. Troubleshooting Tip

1. Overview

Microsoft Authenticator is a software-based authenticator app developed by Microsoft. This application generates a time-based, six-digit, one-time password for every 30 seconds.
After configuring Microsoft Authenticator with Key Manager Plus, the user will have to enter the user credentials, followed by this six-digit code to successfully log in to Key Manager Plus. Using two-factor authentication ensures the security of your account. Here, in this document, you will learn how to configure and connect Microsoft Authenticator with Key Manager Plus.

2. Sequence of Events

Here's the sequence of events involved in using Microsoft Authenticator as the second level of authentication to login to Key Manager Plus:

  1. A user tries to access Key Manager Plus web-interface.
  2. Key Manager Plus authenticates the user through Active Directory/LDAP/SAML/locally (first factor).
  3. Key Manager Plus prompts for the second factor credential through Microsoft Authenticator.
  4. Enter the six-digit token that you see on the Microsoft Authenticator app GUI.
  5. Key Manager Plus grants the user access to the web-interface.

3. Configuring Two-Factor Authentication

  1. Navigate to Settings >> Other Settings >> Two-Factor Authentication. 
  2. Choose Microsoft Authenticator and click Save.
m-tfa-1

 

4. Enforcing Two-Factor Authentication for Required Users

  1. Once you confirm Microsoft Authenticator as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom Two-Factor Authentication should be enforced.
  2. You can Enable or DisableTwo-Factor Authentication for a single user or multiple users in bulk from here.
    1. To enable Two-Factor Authentication for a single user, click Enable beside the respective user.
    2. For multiple users, select the required users and click Enable at the top of the user list.
    3. Similarly, you can also Disable Two-Factor Authentication from here.

      enable-tfa
  3. You can also enable or disable Two-Factor Authentication while adding or editing a user from Settings >> User Management >> Users.
user-tfa

 

5. Connecting to KMP Web Interface when TFA via Microsoft Authenticator is Enabled

Prerequisite

To use Microsoft Authenticator as the second factor of authentication, you should first install the app in your smart phone or tablet.

Connecting to Key Manager Plus Web Interface

The users for whom Two-Factor Authentication is enabled will have to authenticate twice successively. If the administrator has chosen the TFA option Microsoft Authenticator, the Two-Factor Authentication will happen as detailed below:

  1. Launch Key Manager Plus web interface, enter the Username and Password (local authentication or AD/LDAP/SAML), and click Login.
  2. Associating Microsoft Authenticator with your Key Manager Plus account: When you are logging in for the first time after enabling TFA through Microsoft Authenticator, you will be prompted to associate it with your account in Key Manager Plus.
  3. Open Microsoft Authenticator app in your mobile device or tablet and click "Add Account" or the "+" button.
    1. Choose "Other account(Google, Facebook, etc.)" for the account you're adding, since Key Manager Plus is not a Microsoft extension.
    2. Now, scan the QR code displayed in Key Manager Plus.
    3. This will automatically configure Microsoft Authenticator to start generating authentication codes periodically, that changes every 30 seconds.
  4. If you have trouble scanning the QR code, you can also choose to Enter Code Manually and carry out the following manual steps:
    1. The GUI will prompt you to enter an Account Name and a Secret key.
    2. Supply an Account name for your Key Manager Plus account in the format <KMP:user@mailid>.
      (Example:KMP:john@abc.com)
    3. Provide an alphanumeric string as your Secret key and then click Finish.
    4. Microsoft Authenticator will now start generating codes periodically, that changes every 30 seconds.
  5. After completing this, you can enter this code in the text box provided in the Key Manager Plus login page for the second level of authentication.

6. Troubleshooting Tip

As mentioned earlier, Microsoft Authenticator is associated with your Key Manager Plus account. If you ever lose your mobile device/tablet OR if you accidentally delete the Microsoft Authenticator app on your device, you will still be able to get tokens to log in to Key Manager Plus. In such scenarios,

  1. Log in to Key Manager Plus by mentioning the Username and Password.
  2. Click the link Having trouble using Microsoft Authenticator? in the Key Manager Plus login screen.
  3. You will be prompted to enter your Key Manager Plus Username and the Email address associated with Key Manager Plus.
  4. You will receive instructions to get Microsoft Authenticator again via the above mentioned Email.
Top