Two-factor authentication

Two-factor authentication adds an extra layer of security to the product. When you try to access RecoveryManager Plus, the login process will be complete only after the two-factor authentication is completed. Users with the Admin role can bypass TFA.

To enable TFA,

1. Log in to RecoveryManager Plus as an administrator.
2. Navigate to Delegation tab → Configuration → Logon Settings → Two-factor Authentication.
3. Toggle the button near Two-Factor Authentication. RecoveryManager Plus provides the following modes of secondary authentication.
• Email verification
• Google Authenticator
• Duo Security
• RADIUS Authentication
• Microsoft Authenticator

Click on the name of any method to learn how to set up that method as the second authentication factor.

Email verification

When this option is selected, RecoveryManager Plus sends a verification code via email to the user’s email address. The user has to enter the verification code to successfully login.

Prerequisites: To use this method as your secondary authentication method, it is mandatory to have configured a mail server with RecoveryManager Plus. If you haven’t already, follow the steps listed here to configure a mail server.

• Mark the checkbox against Enable Email verification.
• Provide a subject line and message of your choice. You can personalize the message with Macros. To view the list of available Macros, click on the Macros link at the bottom of the message text box.
• Click Save.
• When users next try to log in to RecoveryManager Plus, they will be prompted to add Email Verification as a verification method after authentication using username and password is successful. Select Email Verification and click Next.
• Enter the email address to which you wish to receive the verification code and click Send code.
• Copy the verification code from the email and enter the code in the space provided.
• Mark the checkbox against Trust this browser if you do not want to verify every time you log in. You will only be asked to verify once every 180 days.

Note: Do not use this option if more than one person uses the same machine.

• Click Verify Code.

Google Authenticator

When this option is selected, users will be required to enter a six-digit security code generated by the Google Authenticator app for identity verification.

• Click on the Enable Google Authenticator button.
• When users next try to log in to RecoveryManager Plus, they will be prompted to add Google Authenticator as a verification method after authentication using username and password is successful. Select Google Authenticator and click Next.
• Install and open Google Authenticator on your mobile phone.
• Navigate to Scan a QR code in your Google Authenticator app and scan the QR code present in the RecoveryManager Plus login screen. Copy the code displayed in the authenticator app and enter the code in the space provided on the login page.
Note:
• If you are having trouble viewing the QR code, click the Click here link below the QR code.
• In the Google Authenticator app, enter your account name.
• Enter the secret key displayed on the screen.
• Select Time-based as the alogorithm type.
• Copy the code displayed in the authenticator app and enter the code in the space provided for the secret code.
• Mark the checkbox against Trust this browser if you do not want to verify every time you log in. You will only be asked to verify once every 180 days.

Note: Do not use this option if more than one person uses the same machine.

• Click Verify Code.

Duo Security

If your organization uses Duo Security for two-factor authentication, it can be integrated with RecoveryManager Plus to secure logins. To log in to RecoveryManager Plus, users need to approve a push notification or enter the six-digit security code generated by the Duo mobile app. Authentication via Duo Security can be configured in two ways in RecoveryManager Plus: Web v2 SDK and Web v4 SDK

Web v2 SDK uses a traditional Duo prompt which will be displayed in an iframe in RecoveryManager Plus, whereas Web v4 SDK uses Duo's OIDC-based universal prompt with a redesigned UI that redirects users to Duo for authentication.

Note: Duo Security has phased out Web v2 SDK. We recommend using Web v4 SDK.

Prerequisites

• Add the API hostname and admin console (e.g., https://admin-325d33c0.duosecurity.com ) as a trusted site or intranet site in the users' machine if they are using older versions of Internet Explorer.
• Please follow these steps in the Duo Admin Panel to migrate from Web v2 SDK, which uses the traditional prompt, to Web v4 SDK, which employs the new Universal Prompt.

Web v4 SDK configuration steps

Note: It is required to have a secure connection to set up the Web v4 SDK authentication. Please make sure that you have enabled HTTPS connection in RecoveryManager Plus.

1. Login to your Duo Security account (e.g., https://admin325d33c0.duosecurity.com ) or sign up for a new account, and log in.
2. Navigate to the Applications section in the left pane.
3. Click on the Protect an Application option.
4. Search for Web SDK and click Protect.
5. Copy the Client ID, Client secret, and API hostname values.
6. In RecoveryManager Plus, navigate to Delegation > Configuration> Logon Settings > Two-Factor Authentication > Duo Security.
7. Check the Enable Duo Security box, and select Web v4 SDK for Integration Type.
8. Paste the Client ID, Client secret, and API hostname obtained from the Duo Admin Panel in the respective fields.
9. Enter the same username pattern used in Duo Security in the Username Pattern field.
10. Click Save.

Web v2 SDK configuration steps

1. Login to your Duo Security account (e.g., https://admin325d33c0.duosecurity.com ) or sign up for a new account, and log in.
2. Navigate to the Applications section in the left pane.
3. Click on the Protect an Application option.
4. Search for Web SDK and click Protect.
5. Copy the Integration key, Secret key, and API hostname values.
6. In RecoveryManager Plus, navigate to Delegation > Configuration> Logon Settings > Two-Factor Authentication > Duo Security.
7. Check the Enable Duo Security box and select Web v2 SDK for Integration Type.
8. Paste the Integration key, Secret key, and API hostname obtained from the Duo Admin Panel in the respective fields.
9. Enter the same username pattern used in Duo Security in the Username Pattern field.
10. Click Save.

Steps to migrate to the new Universal Prompt

1. In the Duo Admin Panel, select the Web SDK application which was previously configured for RecoveryManager Plus, and copy the Integration key, Secret key and API hostname values.
2. Scroll down to the Universal Prompt section. The App Update Ready message will be displayed, indicating that Universal Prompt can now be activated for RecoveryManager Plus.



3. In RecoveryManager Plus, navigate to Delegation > Configuration > Logon Settings > Two-Factor Authentication > Duo Security.
4. Click Web v4 SDK and paste the Integration key, Secret key, and API hostname values in the Client ID, Client Secret, and API Host name fields respectively.
5. Once the Web v4 SDK is configured in RecoveryManager Plus and a user authenticates through the frameless Duo v4 SDK, the App Update Ready message in Duo Admin Panel will be updated and the New Prompt Ready message will be displayed.



6. Select Show new Universal Prompt to activate the universal prompt for RecoveryManager Plus.

RADIUS Authentication

RADIUS-based two-factor authentication for AD360 can be configured in two steps.

Step 1: Integrate RADIUS with AD360

1. Log in to RADIUS server.
2. Navigate to clients.conf file.(/etc/raddb/clients.conf).
3. Add the following snippet in the clients.conf file.
   client <RecoveryManagerPlusServerName>
   {
   ipaddr = xxx.xx.x.xxx
   secret = <secretCode>
   nastype = other
   }
4. Restart RADIUS server.

Step 2: Configure RecoveryManager Plus for RADIUS

1. In RecoveryManager Plus, mark the checkbox against Enable RADIUS Authentication.
2. Provide the Server Name/IP address and the Server Port in the respective fields.
3. Select the Authentication Scheme from the drop-down box.
4. Provide the Secret Key that was added to the clients.conf file in RADIUS server.
5. Select the Desired Username Pattern from the available choices.
6. Provide a limit for the Request Time Out (in secs) and click Save.
7. When users next try to log in to RecoveryManager Plus, they will be prompted to verify RADIUS Authentication as a verification method after authentication using username and password is successful. Select RADIUS Authentication and click Next.
8. Enter the RADIUS password.
9. Mark the checkbox against Trust this browser if you do not want to verify every time you log in. You will only be asked to verify once every 180 days.

Note: Do not use this option if more than one person uses the same machine.

10. Click Verify Code.

Microsoft Authenticator

When this option is selected, users will be required to enter a code generated in the Microsoft Authenticator app during the login process.

• Click Enable Microsoft Authenticator.
• When users next try to log in to RecoveryManager Plus, they will be prompted to add Microsoft Authenticator as a verification method after authentication using username and password is successful. Select Microsoft Authenticator and click Next.
• Install and open Microsoft Authenticator on your mobile phone.
• During logon, navigate to Scan QR code in your Microsoft Authenticator app and scan the QR code displayed in the RecoveryManager Plus login screen.
• Enter the code generated by the Microsoft Authenticator app in your smartphone.
  Note:

  • If you are having trouble viewing the QR code, click the Click here link below the QR code.
  • In the Microsoft Authenticator app, enter your account name.
  • Enter the secret key displayed on the screen.
  • Copy the code displayed in the authenticator app and enter the same in the space provided for the secret code.
• Mark the checkbox against Trust this browser if you do not want to verify every time you log in. You will only be asked to verify once every 180 days.

  Note: Do not use this option if more than one person uses the same machine.

• Click Verify Code.

Backup Verification Codes

To enable backup verification codes,

1. Mark the check-box against Backup Verification Code.
2. Once enabled, technicians will be notified to configure their codes when they log in to RecoveryManager Plus. On clicking Configure Now, they will be taken to the two-factor authentication settings page.
3. Click the Manage Backup Verification Codes link to view the codes.
4. Technicians can also download the codes as a text file, print them, get it delivered to their personal email address, or generate new codes.

Using the backup verification code to login

If technicians find themselves unable to get to their phones or use their selected authentication factor, they can use their backup codes by following the steps listed below.

1. In the second-factor authentication page, click the Use backup verification codes link.
2. In the backup verification code page, enter one of your backup verification codes and click Verify Code to login.

Upon successful authentication, the technician will be logged in.

Managing users who have enrolled for two-factor authentication

As an admin, you can view which authentication method other technicians have enrolled for and remove users’ enrollment for two-factor authentication using the Enrolled Users option.

To do so, follow the steps below:

1. Under the Two-factor Authentication tab, click Enrolled Users.
2. In the TFA Enrolled Users pop up, you can view the list of users who have enrolled for two-factor authentication and the authentication method they have chosen.
3. To remove a user, select the user and click the icon.

Personalizing two-factor authentication settings

Technicians who have enrolled for two-factor authentication can modify their preferred authentication method and manage trusted browsers by following the steps below:

1. Log in to RecoveryManager Plus.
2. Click the icon in the top-right corner and click Personalize.
3. Select Two-Factor Authentication from the left pane.
4. To modify authentication mode, click Modify Authentication mode and make the necessary changes.
5. To manage trusted browser, click Manage Trusted Browsers and make the necessary changes.

Previous Topic Next Topic