Two-Factor Authentication (TFA) in Applications Manager
Overview
Two Factor Authentication (TFA) provides an additional level of authentication and improves security by requiring the user to provide a unique time-based one time password (TOTP) generated through Authenticator Apps, or as a one time password (OTP) sent to the user's configured email address. TFA strengthens authentication and prevents unauthorized access.
Once enabled, users will be prompted to enter the One Time Password (OTP) along with their default password.
Steps to configure TFA
To configure Two Factor Authentication in Applications Manager, follow the steps given below:
- Go to Settings → User Management → Two Factor Authentication.
- Select the Enable Two Factor Authentication (TFA) option.
- Choose the desired Authentication Mode. Authentication can be performed using any one of the following methods:
- Authenticator Apps (TOTP): Allows you to authenticate using Time-based One Tine Password (TOTP) generated via Authenticator apps. Some examples of Authenticator apps include but not limited to Google Authenticator, Microsoft Authenticator, Duo, Zoho OneAuth etc. Learn more
Note: All users will be prompted to set up their Authenticator app during their next login. Learn more
- Email: Allows you to authenticate using One Time Password (OTP) sent via email to the user's configured email address. Learn more
Note: Mail Server Settings and Email ID's for all users need to be configured for the Email Authentication Mode.
- Specify the number of days for which the browser must remember your login. With this, you will not be required to provide TOTP/OTP while logging in on that browser for the specified number of days. This will be applicable to everyone and is up to the user to select the checkbox to trust the browser during login.
- Click Save.
After configuring the above settings, Two-Factor Authentication can be performed in Applications Manager by following the steps based on any of the below Authentication Modes chosen:
Note: Support for TFA authentication in the mobile app (android+ios) is included from v16640 in the following versions:
- Android : 2.4.0
- IOS : 2.3.3
Authentication using Authenticator apps
- During the next login, install the app and follow the steps shown on screen to configure your desired Authenticator app on your mobile device, which is a one-time process.
- Then, enter the OTP generated in the Authenticator app to login as a second factor to able to access the product UI.
Note: The time in the configured mobile device must be in sync with the Applications Manager server time.
Authentication using email
- If the mode of Authentication is chosen as Email, then the OTP will be sent via email to the configured email address.
- Then, enter the OTP generated in the email to login as a second factor to able to access the product UI.
Note: Mail server should be reachable for Applications Manager with a connection time out of 1 minute in order for Applications Manager to be able to send OTP in mail.
Troubleshooting steps
In the event that a new TOTP secret is required due to the loss of the mobile device configured or for any other such reason:
- The super admin can go to Settings → User Management → Select respective users and click on the Reset TOTP secret icon to reset TOTP for them.
- If the super-admin itself has lost the configured mobile device/is unable to retrieve the OTP from App/Email, then TFA can only be disabled manually in the server where Applications Manager is installed. To troubleshoot, follow the steps below:
- Shutdown Applications Manager.
- Open the AMServer.properties file located under <Applications Manager Home>/conf/ directory.
- Add the key am.twofactor.authentication.status=disable and save the file.
- Start Applications Manager and proceed for login.
- Enable Two-factor authentication whenever required.