Setting up Two-Factor Authentication (TFA) - Okta Verify
Okta Verify is a software-based authentication token that provides a six-digit number that users must enter as the second factor of authentication.
You need to install the Okta Verify app on your smart phone or tablet devices. It generates a six-digit number, which changes every 30 seconds. With the app, you don’t have to wait a few seconds to receive a text message. Here's the sequence of events involved in using Okta Verify as the second level of authentication to login to PAM360:
- A user tries to access PAM360 web-interface.
- PAM360 authenticates the user through Active Directory or LDAP or locally (first factor).
- PAM360 requests for the second factor credential through Okta Verify.
- The user has to enter the six-digit token that they see on the Okta Verify app GUI.
- PAM360 grants the user access to the web-interface.
Here are the steps required:
Step 1: Configuring TFA in PAM360
- Navigate to Admin >> Authentication >> Two-factor Authentication.
- Choose the option Okta Verify, and click Save.
- Click Confirm to enforce Okta Verify as the second factor of authentication.
Step 2: Enforcing TFA for Required Users
- Once you confirm the Okta Verify as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom TFA should be enforced.
- You can enable or disable TFA for a single user or multiple users in bulk from here. To enable TFA for a single user, click on the 'Enable' button beside their respective username. For multiple users, select the required usernames and click on 'Enable' at the top of the user list. Similarly, you can also 'Disable' TFA from here.
- Close the window.
- You can also select the users later by navigating to Users >> More Actions >> Two-factor Authenitcation.
- In the window that opens, select the users for whom you want to enforce Okta TFA.
How to Connect to PAM360 Web Interface when TFA via Okta Verify is Enabled?
To use Okta Verify as the second factor of authentication, you should first install the app in your smart phone or tablet.
Connecting to PAM360 Web Interface
The users for whom TFA is enabled will have to authenticate twice successively. The first level of authentication will be through the usual authentication, i.e., the users have to authenticate through PAM360's local authentication or AD/LDAP authentication, whichever is enabled.
- Launch PAM360 web interface, enter the Username and Password (local authentication or AD/LDAP), and click Login.
- Associating Okta Verify with your PAM360 account:
- When you are logging in for the first time after enabling TFA through Okta Verify, you will be prompted to associate it with your account in PAM360. After launching the Okta Verify app in your mobile device or tablet, click on "Add Account" or the "+" button.
- Here, you can either scan the QR code displayed in your PAM360 website, or create an account manually by clicking the "No Barcode?" button.
- If you choose to enter the code manually, the GUI will prompt you to enter an account name and a security key.
- Supply an Account name for your PAM360 account in the format– PAM360 : account name (for example. PAM360:email@example.com).
- Provide an alphanumeric string as your Secret key, and then click Add Account.
- Okta Verify will now start generating codes periodically, that changes every 30 seconds.
- You can enter this code in the text box provided in the PAM360 login page for the second level of authentication.
As mentioned earlier, the Okta Verify is associated with your PAM360 account. If you ever lose your mobile device/tablet OR if you accidentally delete the Okta Verify app on your device, you will still be able to get tokens to log in to PAM360. In such scenarios, just click the link "Have trouble using Okta Verify?" in the PAM360 login screen. You will be prompted to enter your PAM360 username and the email address associated with PAM360. Once done, you will receive instructions to get Okta Verify again.
If You have Configured High Availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor, RSA SecurID, One-time password, RADIUS, or Duo) AND if you have configured high availability, you need to restart the PAM360 secondary server once.