Setting up Two-Factor Authentication (TFA) - Google Authenticator
Google Authenticator is a software-based authentication token developed by Google. The token provides an authenticator, which is a six digit number users must enter as the second factor of authentication.
You need to install the Google Authenticator app on your smart phone or tablet devices. It generates a six-digit number, which changes every 30 seconds. With the app, you don’t have to wait a few seconds to receive a text message. Here’s how to set up and use the Google Authenticator app with your Google account, along with a few other well-known sites.
Following is the sequence of events involved in using Google Authenticator as the second factor:
- A user tries to access PAM360 web-interface.
- PAM360 authenticates the user through Active Directory or LDAP or locally (first factor).
- PAM360 prompts for the second factor credential through Google Authenticator.
- Enter the six-digit token that you see on the Google Authenticator app GUI.
- PAM360 grants the user access to the web-interface.
Here are the steps required:
Step 1: Configuring TFA in PAM360
- Navigate to Admin >> Authentication >> Two-factor Authentication.
- Choose the option "Google Authenticator".
- Click Save.
- Then, click on Confirm to enforce Google Authenticator as the second factor of authentication.
Step 2: Enforcing TFA for Required Users
- Once you confirm Google Authenticator as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom TFA should be enforced.
- You can enable or disable TFA for a single user or multiple users in bulk from here. To enable TFA for a single user, click on the 'Enable' button beside their respective username. For multiple users, select the required usernames and click on 'Enable' at the top of the user list. Similarly, you can also 'Disable' TFA from here.
- You can also select the users later by navigating to Users >> More Actions >> Two-factor Authenitcation.
How to connect to PAM360 web interface when TFA via Google Authenticator is enabled?
To make use of google authenticator as the second factor of authentication, you should first install Google Authenticator app in your smart phone or tablet. Google officially supports Android, iPhone, iPad, iPod Touch and BlackBerry devices. Detailed instructions to install the Google Authenticator app is available in Google's website.
Connecting to PAM360 web interface
The users for whom TFA is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through PAM360's local authentication or AD/Azure AD/LDAP authentication. If the administrator has chosen the TFA option "Google Authenticator", the TFA will happen as detailed below:
- Upon launching the PAM360 web-interface, the user has to enter the username and local authentication or Azure AD/AD/LDAP password to log in to PAM360 and click "Login".
- Associating Google Authenticator with your account in PAM360: When you are logging in for the first time after enabling TFA through Google Authenticator, you will be prompted to associate it with your account in PAM360. You need to first launch the Google Authenticator app in your mobile device/tablet and choose the '+' button. Then, select 'Scan Barcode' and point your device to the barcode shown in the GUI such as the image displayed below. This will automatically configure Google Authenticator to start generating authentication codes for PAM360.
- After completing this, you can enter the current token for authentication in the text box.
Note: If you had trouble scanning the barcode, the automatic setup will not work. Alternatively, you can carry out the following manual steps in the Google Authenticator app in your device:
- Choose 'Time Based' for your token (this is the default selection in the app).
- Supply an identifier for your PAM360 account in this format - PAM360:
(for ex. PAM360:email@example.com).
- Supply the alphanumeric string as the key and select 'Done'.
- Google Authenticator is now setup and it will start generating codes periodically for <PAM360:user@mailid>. Enter the current code to continue logging into PAM360 : ______ [Submit]
As mentioned earlier, the Google Authenticator is associated with your PAM360 account. If you ever lose your mobile device/tablet OR if you accidentally delete the Google Authenticator app on your device, you will still be able to get tokens to log in to PAM360. In such scenarios, just click the link "Have trouble using Google Authenticator?" in the PAM360 login screen. You will be prompted to enter your PAM360 username and the email address associated with PAM360. You will receive instructions to get Google Authenticator again.
If You have Configured High Availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) AND if you have configured high availability, you need to restart the PAM360 secondary server once.