Setting up Two Factor Authentication - Unique Password Generated Through Email
Step 1: Enabling Two Factor Authentication
The first step is to enable two factor authentication. To do that,
- Go to "Admin" tab and click "Two Factor Authentication"
- Choose the option "Unique password generated and sent through Email"
Unique Password Generated Through Email
If you choose this option, after the first level of authentication through the usual way, Password Manager Pro will randomly generate a unique password and it will be emailed to the user. The user has to enter the second password sent by email to authenticate at the second level. The second level password generated and sent by PMP is applicable only for that particular session of the web-interface. If the user logs out and tries to login again, he will not be allowed to login with the same password sent by email earlier. The user has to fetch the password sent by email again and enter it for authentication.
Step 2: Enforcing Two Factor Authentication for Required Users
In Step 1 above, you have chosen the required option for two factor authentication. After choosing this option, you need to apply two factor authentication for the required users.
To enforce two factor authentication for a user,
- Go to "Admin" >> "Users"
- Click the button "Set 2-factor authentication"
- In the UI that opens, select the users for whom two factor authentication is to be enforced
- Click "Save"
How to connect to PMP Web-Interface when TFA is Enabled?
The users for whom two factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through PMP's local authentication or AD/LDAP authentication. Depending on the type of TFA chosen by the administrator, the second level of authentication will differ as explained below:
Note: When TFA is enabled, the login screen will ask for the username alone in the first UI. The users will be prompted to enter the passwords only in the second step.
If the administrator has chosen the TFA option "Unique password generated and sent through email", the two factor authentication will happen as detailed below:
- Upon launching the PMP web-interface, the user has to enter the username to login to PMP and click "Login"
- Then the user has to enter the local authentication password or AD/LDAP domain password as applicable
- Once the first level of authentication succeeds, PMP will generate a random password and email it to the user
- The user has to fetch email and copy the second password and enter it as the second password
- If the second authentication succeeds, the user will be allowed to view the PMP web interface
Note: The second level password generated and sent by PMP is applicable only for that particular session of the web-interface. If the user logs out and tries to login again, he will not be allowed to login with the same password sent by email earlier. The user has to fetch the password sent by email again and enter it for authentication.
If you have configured High Availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password) AND if you have configured high availability, you need to restart the PMP secondary server once.