Setting up Two-Factor Authentication (TFA) - Zoho OneAuth Authenticator

Zoho OneAuth Authenticator, a comprehensive multi-factor authentication application, helps you secure your online accounts, thus improving your business security. It is available for download on multiple devices - iOS, Android, iPad, macOS, watchOS, and Windows platforms and can be installed at your convenience. Once configured, the OTP Authenticator of Zoho OneAuth generates a 6-digit number every 30 seconds that must be entered as the second factor of authentication, following the usual first-factor authentication.

How does Zoho OneAuth Work with PAM360?

1. A user tries to access the PAM360 web interface
2. PAM360 authenticates the user through the first factor of authentication / local authentication - AD/Microsoft Entra ID/LDAP
3. PAM360 prompts for the second-factor authentication through the configured Zoho OneAuth - Authenticator
4. The user enters the six-digit code from the Zoho OneAuth - Authenticator GUI
5. PAM360 grants access to the user for the PAM360 web interface for further operations

The following sections will help you to configure and use the Zoho OneAuth Authenticator as the Two-Factor Authentication (TFA):

1. Configuring TFA in PAM360
2. Enforcing TFA for Required Users
3. Connecting to PAM360 Web Interface when TFA via Zoho OneAuth - Authenticator is Enabled
4. Troubleshooting Tip

1. Configuring TFA in PAM360

1. Navigate to 'Admin >> Authentication >> Two-factor Authentication'.
2. Enable the option Zoho OneAuth - Authenticator and click Save.
3. Click on Confirm to enforce Zoho OneAuth - Authenticator as the second factor of authentication.

2. Enforcing TFA for Required Users

Once you enforce the Zoho OneAuth - Authenticator as the second factor of authentication, a new window will prompt with the existing PAM360 users details.. Select the users for whom the TFA is to be enforced.

1. From here, you can enable or disable the TFA individually or in bulk:
   1. To enable TFA individually, click the Enable button beside their respective username.
   2. To enable TFA in bulk, select the required usernames and click the Enable button at the top of the users' list.
   3. Similarly, follow the above steps with the Disable button to disable the TFA for the respective users.
   
2. You can also enable/disable TFA for the users later by navigating to 'Users >> More Actions >> Two-factor Authentication'.

3. Connecting to PAM360 Web Interface with Enabled Zoho OneAuth - Authentication

3.1 Prerequisite

Before you log in to PAM360, install Zoho OneAuth - Authenticator application on your smartphone or tablet. To install, and to know more about Zoho OneAuth, click here.

3.2 Connecting to the PAM360 Web Interface

As mentioned in the above section, for the TFA-enabled users, the first level of authentication will be through the usual authentication, i.e., the users have to authenticate through PAM360's local authentication or AD/Microsoft Entra ID/LDAP authentication. Follow the below steps to configure the PAM360 account in the Zoho OneAuth - Authenticator during the initial login for TFA:

1. Upon launching the PAM360 web interface, the user has to enter the local authentication credentials or Microsoft Entra ID/AD/LDAP password to log in to PAM360 and click Login.

2. If you log in to PAM360 for the first time after enabling TFA through Zoho OneAuth - Authenticator, you will be prompted to associate it with your PAM360 account. Follow the below steps to associate Zoho OneAuth - Authenticator with your PAM360 account:
   1. Launch the Zoho OneAuth application on your mobile device/tablet and tap Authenticator from the bottom pane.
   2. Tap the '+' button or click Add new.
   
   3. Click Scan a QR secret and point your device to the barcode shown in the PAM360 GUI. This will automatically configure your PAM360 account in the Zoho OneAuth - Authenticator application and will start generating the authentication codes for PAM360.
   4. After the configuration, you can enter the current generated code in Zoho OneAuth - Authenticator for authentication in the PAM360 GUI text box.
   
3. If you have trouble scanning the barcode, the automatic setup will not work. Alternatively, you can carry out the following manual steps in the Zoho OneAuth - Authenticator application to complete the configuration process:
   1. Click the text 'I have trouble scanning this barcode!' present below the barcode in the PAM360 GUI.
   2. From the Zoho OneAuth application, tap the '+' button or click Add new.
   3. Select Manual Entry and enter the Issuer name, User name, and the Secret key. The Secret Key is the alphanumeric key shown in the PAM360 GUI.
   4. Select the folder and the account brand icon and click DONE.
4. Zoho OneAuth - Authenticator is now configured and will start generating the authentication codes periodically. Enter the current generated code to continue logging in to PAM360.

4. Troubleshooting Tip

As you know, the Zoho OneAuth Authenticator is associated with your PAM360 account. If you lose your mobile device/tablet or accidentally delete the Zoho OneAuth - Authenticator app from your device, you will still be able to get the generated codes to log in to PAM360. In such scenarios,

1. Click the link "Have trouble using Zoho OneAuth - Authenticator?" on the PAM360 login screen.
2. You will be prompted to enter your PAM360 Username and the Email address associated with PAM360.
3. You will receive instructions to get Zoho OneAuth - Authenticator again via the above-mentioned Email.