Two-factor authentication

Two-factor authentication adds an extra layer of security to the product. When you try to access RecoveryManager Plus, the login process will be complete only after the two-factor authentication is completed. Users with the Admin role can bypass TFA.

To enable TFA,

  1. Log in to RecoveryManager Plus as an administrator.
  2. Navigate to Delegation tab → Configuration → Logon Settings → Two-factor Authentication.
  3. Toggle the button near Two-Factor Authentication. RecoveryManager Plus provides the following modes of secondary authentication.

Click on the name of any method to learn how to set up that method as the second authentication factor.

Note: After configuring TFA, if users cannot access their phones or face issues with the selected second-factor authentication method, you can use Backup Verification Codes to log in. When enabled, a total of five codes will be generated. A code once used will become obsolete and cannot be used again. Users also have the option to generate new codes. To learn how to enable backup verification code, click here.

Email verification

When this option is selected, RecoveryManager Plus sends a verification code via email to the user’s email address. The user has to enter the verification code to successfully login.

Prerequisites: To use this method as your secondary authentication method, it is mandatory to have configured a mail server with RecoveryManager Plus. If you haven’t already, follow the steps listed here to configure a mail server.

  • Mark the checkbox against Enable Email verification.
  • Provide a subject line and message of your choice. You can personalize the message with Macros. To view the list of available Macros, click on the Macros link at the bottom of the message text box.
  • Click Save.
  • When users next try to log in to RecoveryManager Plus, they will be prompted to add Email Verification as a verification method after authentication using username and password is successful. Select Email Verification and click Next.
  • Enter the email address to which you wish to receive the verification code and click Send code.
  • Copy the verification code from the email and enter the code in the space provided.
  • Mark the checkbox against Trust this browser if you do not want to verify every time you log in. You will only be asked to verify once every 180 days.
    • Note: Do not use this option if more than one person uses the same machine.
  • Click Verify Code.

Google Authenticator

When this option is selected, users will be required to enter a six-digit security code generated by the Google Authenticator app for identity verification.

  • Click on the Enable Google Authenticator button.
  • When users next try to log in to RecoveryManager Plus, they will be prompted to add Google Authenticator as a verification method after authentication using username and password is successful. Select Google Authenticator and click Next.
  • Install and open Google Authenticator on your mobile phone.
  • Navigate to Scan a QR code in your Google Authenticator app and scan the QR code present in the RecoveryManager Plus login screen. Copy the code displayed in the authenticator app and enter the code in the space provided on the login page.
    • Note:
    • If you are having trouble viewing the QR code, click the Click here link below the QR code.
    • In the Google Authenticator app, enter your account name.
    • Enter the secret key displayed on the screen.
    • Select Time-based as the alogorithm type.
    • Copy the code displayed in the authenticator app and enter the code in the space provided for the secret code.
  • Mark the checkbox against Trust this browser if you do not want to verify every time you log in. You will only be asked to verify once every 180 days.
    • Note: Do not use this option if more than one person uses the same machine.
  • Click Verify Code.

Duo Security

Users can use the six digit security codes generated by the Duo mobile app or push notification to log in to RecoveryManager Plus.

  • Login to your Duo Security account (e.g., https://admin-325d33c0.duosecurity.com) or sign up for a new account, and log in.
  • Navigate to the Applications section in the left pane.
  • Click on the Protect an Application option.
  • Search for Web SDK and click on Protect this Application.
  • Copy the Integration Key, Secret Key, and API Hostname.
  • In the RecoveryManager Plus console, mark the checkbox against Enable Duo Security.
  • Paste the Integration Key, Service Key, and API Hostname copied in the previous step.
  • Select the Desired Username Pattern from the available choices and click Save.
  • When users next try to log in to RecoveryManager Plus, they will be prompted to add Duo Security as a verification method after authentication using username and password is successful. Select Duo Security and click Next.
  • Open Duo Security on your mobile phone.
  • Navigate to Use a QR code in your Duo Security app and scan the QR code present in the RecoveryManager Plus login screen. Copy the code displayed in the authenticator app and enter the code in the space provided on the login page.
  • Mark the checkbox against Trust this browser if you do not want to verify every time you log in. You will only be asked to verify once every 180 days.
    • Note: Do not use this option if more than one person uses the same machine.
  • Click Verify Code.
Note: Please make sure you select the exact username pattern you use in Duo Security.
Note: If you are using older versions of Internet Explorer, then add the API hostname (e.g., https://api-325d33c0.duosecurity.com) and admin console (e.g., https://admin-325d33c0.duosecurity.com) as a trusted or intranet site.

RADIUS Authentication

RADIUS-based two-factor authentication for AD360 can be configured in two steps.

Step 1: Integrate RADIUS with AD360

  1. Log in to RADIUS server.
  2. Navigate to clients.conf file.(/etc/raddb/clients.conf).
  3. Add the following snippet in the clients.conf file.
    client <RecoveryManagerPlusServerName>
    {
    ipaddr = xxx.xx.x.xxx
    secret = <secretCode>
    nastype = other
    }
  4. Restart RADIUS server.

Step 2: Configure RecoveryManager Plus for RADIUS

  1. In RecoveryManager Plus, mark the checkbox against Enable RADIUS Authentication.
  2. Provide the Server Name/IP address and the Server Port in the respective fields.
  3. Select the Authentication Scheme from the drop-down box.
  4. Provide the Secret Key that was added to the clients.conf file in RADIUS server.
  5. Select the Desired Username Pattern from the available choices.
  6. Provide a limit for the Request Time Out (in secs) and click Save.
  7. When users next try to log in to RecoveryManager Plus, they will be prompted to verify RADIUS Authentication as a verification method after authentication using username and password is successful. Select RADIUS Authentication and click Next.
  8. Enter the RADIUS password.
  9. Mark the checkbox against Trust this browser if you do not want to verify every time you log in. You will only be asked to verify once every 180 days.
    10. Note: Do not use this option if more than one person uses the same machine.
  10. Click Verify Code.
Note: Username Pattern is case-sensitive. Please make sure you select the exact pattern (uppercase or lowercase) you use in your RADIUS server.

Microsoft Authenticator

When this option is selected, users will be required to enter a code generated in the Microsoft Authenticator app during the login process.

  • Click Enable Microsoft Authenticator.
  • When users next try to log in to RecoveryManager Plus, they will be prompted to add Microsoft Authenticator as a verification method after authentication using username and password is successful. Select Microsoft Authenticator and click Next.
  • Install and open Microsoft Authenticator on your mobile phone.
  • During logon, navigate to Scan QR code in your Microsoft Authenticator app and scan the QR code displayed in the RecoveryManager Plus login screen.
  • Enter the code generated by the Microsoft Authenticator app in your smartphone.
    Note:
    • If you are having trouble viewing the QR code, click the Click here link below the QR code.
    • In the Microsoft Authenticator app, enter your account name.
    • Enter the secret key displayed on the screen.
    • Copy the code displayed in the authenticator app and enter the same in the space provided for the secret code.
  • Mark the checkbox against Trust this browser if you do not want to verify every time you log in. You will only be asked to verify once every 180 days.

    Note: Do not use this option if more than one person uses the same machine.

  • Click Verify Code.

Backup Verification Codes

To enable backup verification codes,

  1. Mark the check-box against Backup Verification Code.
  2. Once enabled, technicians will be notified to configure their codes when they log in to RecoveryManager Plus. On clicking Configure Now, they will be taken to the two-factor authentication settings page.
  3. Click the Manage Backup Verification Codes link to view the codes.
  4. Technicians can also download the codes as a text file, print them, get it delivered to their personal email address, or generate new codes.

Using the backup verification code to login

If technicians find themselves unable to get to their phones or use their selected authentication factor, they can use their backup codes by following the steps listed below.

  1. In the second-factor authentication page, click the Use backup verification codes link.
  2. In the backup verification code page, enter one of your backup verification codes and click Verify Code to login.

Upon successful authentication, the technician will be logged in.

Note: If you cannot access your backup verification codes, follow the steps listed here to log in to the product.

Managing users who have enrolled for two-factor authentication

As an admin, you can view which authentication method other technicians have enrolled for and remove users’ enrollment for two-factor authentication using the Enrolled Users option.

To do so, follow the steps below:

  1. Under the Two-factor Authentication tab, click Enrolled Users.
  2. In the TFA Enrolled Users pop up, you can view the list of users who have enrolled for two-factor authentication and the authentication method they have chosen.
  3. To remove a user, select the user and click the icon-delete icon.

Personalizing two-factor authentication settings

Technicians who have enrolled for two-factor authentication can modify their preferred authentication method and manage trusted browsers by following the steps below:

  1. Log in to RecoveryManager Plus.
  2. Click the icon-profile icon in the top-right corner and click Personalize.
  3. Select Two-Factor Authentication from the left pane.
  4. To modify authentication mode, click Modify Authentication mode and make the necessary changes.
  5. To manage trusted browser, click Manage Trusted Browsers and make the necessary changes.
Copyright © 2023, ZOHO Corp. All Rights Reserved.
Get download link