Two-factor authentication adds an extra layer of security to the product. When you try to access RecoveryManager Plus, the login process will be complete only after the two-factor authentication is completed. Users with the Admin role can bypass TFA.
To enable TFA,
- Log in to RecoveryManager Plus as an administrator.
- Navigate to Delegation tab → Configuration → Logon Settings → Two-factor Authentication.
- Toggle the button near Two-Factor Authentication. RecoveryManager Plus provides the following modes of secondary authentication.
Click on the name of any method to learn how to set up that method as the second authentication factor.
: After configuring TFA, if users cannot access their phones or face issues with the selected second-factor authentication method, you can use Backup Verification Codes to log in. When enabled, a total of five codes will be generated. A code once used will become obsolete and cannot be used again. Users also have the option to generate new codes. To learn how to enable backup verification code, click here
When this option is selected, RecoveryManager Plus sends a verification code via email to the user’s email address. The user has to enter the verification code to successfully login.
Prerequisites: To use this method as your secondary authentication method, it is mandatory to have configured a mail server with RecoveryManager Plus. If you haven’t already, follow the steps listed here to configure a mail server.
When this option is selected, users will be required to enter a six-digit security code generated by the Google Authenticator app for identity verification.
Users can use the six digit security codes generated by the Duo mobile app or push notification to log in to RecoveryManager Plus.
Note: Please make sure you select the exact username pattern you use in Duo Security.
Note: If you are using older versions of Internet Explorer, then add the API hostname (e.g., https://api-325d33c0.duosecurity.com) and admin console (e.g., https://admin-325d33c0.duosecurity.com) as a trusted or intranet site.
RADIUS-based two-factor authentication for AD360 can be configured in two steps.
Step 1: Integrate RADIUS with AD360
- Log in to RADIUS server.
- Navigate to clients.conf file.(/etc/raddb/clients.conf).
- Add the following snippet in the clients.conf file.
ipaddr = xxx.xx.x.xxx
secret = <secretCode>
nastype = other
- Restart RADIUS server.
Step 2: Configure RecoveryManager Plus for RADIUS
- In RecoveryManager Plus, mark the checkbox against Enable RADIUS Authentication.
- Provide the Server Name/IP address and the Server Port in the respective fields.
- Select the Authentication Scheme from the drop-down box.
- Provide the Secret Key that was added to the clients.conf file in RADIUS server.
- Select the Desired Username Pattern from the available choices.
- Provide a limit for the Request Time Out (in secs) and click Save.
- When users next try to log in to RecoveryManager Plus, they will be prompted to verify RADIUS Authentication as a verification method after authentication using username and password is successful. Select RADIUS Authentication and click Next.
- Enter the RADIUS password.
- Mark the checkbox against Trust this browser if you do not want to verify every time you log in. You will only be asked to verify once every 180 days.
Note: Do not use this option if more than one person uses the same machine.
- Click Verify Code.
Note: Username Pattern is case-sensitive. Please make sure you select the exact pattern (uppercase or lowercase) you use in your RADIUS server.
Backup Verification Codes
To enable backup verification codes,
- Mark the check-box against Backup Verification Code.
- Once enabled, technicians will be notified to configure their codes when they log in to RecoveryManager Plus. On clicking Configure Now, they will be taken to the two-factor authentication settings page.
- Click the Manage Backup Verification Codes link to view the codes.
- Technicians can also download the codes as a text file, print them, get it delivered to their personal email address, or generate new codes.
Using the backup verification code to login
If technicians find themselves unable to get to their phones or use their selected authentication factor, they can use their backup codes by following the steps listed below.
- In the second-factor authentication page, click the Use backup verification codes link.
- In the backup verification code page, enter one of your backup verification codes and click Verify Code to login.
Upon successful authentication, the technician will be logged in.
Note: If you cannot access your backup verification codes, follow the steps listed here to log in to the product.
Managing users who have enrolled for two-factor authentication
As an admin, you can view which authentication method other technicians have enrolled for and remove users’ enrollment for two-factor authentication using the Enrolled Users option.
To do so, follow the steps below:
- Under the Two-factor Authentication tab, click Enrolled Users.
- In the TFA Enrolled Users pop up, you can view the list of users who have enrolled for two-factor authentication and the authentication method they have chosen.
- To remove a user, select the user and click the icon.
Personalizing two-factor authentication settings
Technicians who have enrolled for two-factor authentication can modify their preferred authentication method and manage trusted browsers by following the steps below:
- Log in to RecoveryManager Plus.
- Click the icon in the top-right corner and click Personalize.
- Select Two-Factor Authentication from the left pane.
- To modify authentication mode, click Modify Authentication mode and make the necessary changes.
- To manage trusted browser, click Manage Trusted Browsers and make the necessary changes.