Setting up Two-Factor Authentication (TFA) - Microsoft Authenticator
Microsoft Authenticator is a software-based authentication token developed by Microsoft. The token provides a six-digit number that users must enter as the second factor of authentication. You need to install the Microsoft Authenticator app on your smart phone or tablet devices. It generates a six-digit number, which changes every 30 seconds. With the app, you don’t have to wait a few seconds to receive a text message. Here's the sequence of events involved in using Microsoft Authenticator as the second level of authentication to login to PAM360:
- A user tries to access PAM360 web-interface.
- PAM360 authenticates the user through Active Directory or LDAP or locally (first factor).
- PAM360 requests for the second factor credential through Microsoft Authenticator.
- The user has to enter the six-digit token that they see on the Microsoft Authenticator app GUI.
- PAM360 grants the user access to the web-interface.
Here are the steps required:
Step 1: Configuring TFA in PAM360
- Navigate to Admin >> Authentication >> TFA.
- Choose the option Microsoft Authenticator, and click Save.
- Click Confirm to enforce Microsoft Authenticator as the second factor of authentication.
Step 2: Enforcing TFA for the required users.
- Once you confirm Microsoft Authenticator as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom TFA should be enforced.
- You can enable or disable TFA for a single user or multiple users in bulk from here. To enable TFA for a single user, click on the 'Enable' button beside their respective username. For multiple users, select the required usernames and click on 'Enable' at the top of the user list. Similarly, you can also 'Disable' TFA from here.
- Close the window.
- You can also select the users later by navigating to Users >> More Actions >> Two-factor Authenitcation.
- In the window that opens, select the users for whom you want to enforce YubiKey TFA.
How to connect to PAM360 Web Interface when TFA via Microsoft Authenticator is enabled?
To use Microsoft Authenticator as the second factor of authentication, you should first install the app in your smart phone or tablet.
Connecting to the PAM360 Web Interface
The users for whom TFA is enabled will have to authenticate twice successively. The first level of authentication will be through the usual authentication, i.e., the users have to authenticate through PAM360's local authentication or AD/LDAP authentication, whichever is enabled.
- Launch PAM360 web interface, enter the Username and Password (local authentication or AD/LDAP), and click Login.
- Associating Microsoft Authenticator with your PAM360 account:
- When you are logging in for the first time after enabling TFA through Microsoft Authenticator, you will be prompted to associate it with your account in PAM360. After launching the Microsoft Authenticator app in your mobile device or tablet, click on "Add Account" or the "+" button. Choose "Other (Google, Facebook, etc.)" for the kind of account you're adding, since PAM360 is not a Microsoft extension.
- Here, you can either scan the QR code displayed in your Password Manger pro website by scanning the barcode shown in the GUI, or Enter Code Manually.
- If you choose to enter the code manually, the GUI will prompt you to enter an account name and a security key.
- Supply an Account name for your PAM360 account in the format– PAM360:account name (for example. PAM360:email@example.com).
- Provide an alphanumeric string as your Secret key, and then click Finish.
- Microsoft Authenticator will now start generating codes periodically, that changes every 30 seconds.
- You can enter this code in the text box provided in the PAM360 login page for the second level of authentication.
As mentioned earlier, the Microsoft Authenticator is associated with your PAM360 account. If you ever lose your mobile device/tablet OR if you accidentally delete the Microsoft Authenticator app on your device, you will still be able to get tokens to log in to PAM360. In such scenarios, just click the link "Have trouble using Microsoft Authenticator?" in the PAM360 login screen. You will be prompted to enter your PAM360 username and the email address associated with PAM360. Once done, you will receive instructions to get Microsoft Authenticator again.
If You have Configured High Availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor, RSA SecurID, One-time password, RADIUS, or Duo) and if you have configured high availability, you need to restart the PAM360 secondary server once.