Setting up Two-Factor Authentication (TFA) - One-Time Password sent through Email
- Overview
- Sequence of Events
- Configuring Two-Factor Authentication
- Enforcing Two-Factor Authentication for Required Users
- Connecting to KMP Web Interface when TFA via OTP is Enabled
1. Overview
Key Manager Plus supports Two-Factor Authentication via a One-time Password. Here in OTP, Key Manager Plus generates a unique random code and emails it to the user after the first level of authentication. The user will have to enter the code sent by email to authenticate at the second level. If the user logs out and tries to log in again, they will not be allowed to log in with the same password sent by email earlier. Instead, another new code will be sent to their email which they must use for authentication.
In this document, you will learn to configure Two-Factor Authentication via a One-time Password in Key Manager Plus.
2. Sequence of Events
Here's the sequence of events involved in using One-time Password as the second level of authentication to login to Key Manager Plus:
- A user tries to access Key Manager Plus web-interface.
- Key Manager Plus authenticates the user through Active Directory/LDAP/SAML/ locally (first factor).
- Key Manager Plus generates a unique code and emails it to the user.
- Key Manager Plus prompts for the unique code - second factor credential.
- Enter the code that Key Manager Plus sent to your configured email.
- Key Manager Plus grants the user access to the web-interface.
3. Configuring Two-Factor Authentication
- Navigate to Settings >> Other Settings >> Two-Factor Authentication.
- Choose One-time password sent through Email and click Save.
4. Enforcing Two-Factor Authentication for Required Users
- Once you confirm One-time Password through email as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom Two-Factor Authentication should be enforced.
- You can Enable or DisableTwo-Factor Authentication for a single user or multiple users in bulk from here.
- You can also enable or disable Two-Factor Authentication while adding or editing a user from Settings >> User Management >> Users.
5. Connecting to KMP Web Interface when TFA via OTP is Enabled
The users for whom two-factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Key Manager Plus's local authentication or AD/LDAP/SAML authentication. If the administrator has chosen the TFA option "One time password sent through email", the two-factor authentication will happen as detailed below:
- Launch Key Manager Plus web interface, enter the Username and Password (local authentication or AD/LDAP/SAML), and click Login.
- Once the first level of authentication succeeds, Key Manager Plus will generate a random code and email it to the user.
- The user has to fetch the code from the email and enter it as the second password.
- If the second authentication succeeds, the user will be allowed to view the Key Manager Plus web interface.