Two-Factor Authentication (TFA) - One-Time Password
If you choose this option, after the first level of authentication through the usual way, PAM360 will randomly generate a unique password and it will be emailed to the user. The user has to enter the password sent by email to authenticate at the second level. The second level password generated and sent by PAM360 is applicable only for that particular session of the web-interface. If the user logs out and tries to log in again, they will not be allowed to log in with the same password sent by email earlier. The user has to fetch the password sent by email again and enter it for authentication.
- Configuring TFA in PAM360
- Enforcing TFA for Required Users
- Connecting to PAM360 Web Interface when TFA is Enabled
1. Configuring TFA in PAM360
- Navigate to Admin >> Authentication >> Two-Factor Authentication.
- Choose the option One-time password sent through email.
- Click Save.
- Then, click on Confirm to enforce OTP through email as the second factor of authentication.
2. Enforcing TFA for Required Users
- Once you confirm OTP through email as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom two-factor authentication should be enforced.
- You can enable or disable Two-Factor Authentication for a single user or multiple users in bulk from here. To enable two-factor authentication for a single user, click on the Enable button beside their respective username. For multiple users, select the required usernames and click on Enable at the top of the user list. Similarly, you can also Disable TFA from here.
- You can also select the users later by navigating to Users >> More Actions >> Two-Factor Authenitcation.
3. Connecting to PAM360 Web Interface when TFA is Enabled
Users for whom two-factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through PAM360's local authentication or AD/LDAP/Azure AD authentication. If the administrator has chosen the TFA option One time password sent through email, the two-factor authentication will happen as detailed below:
- Upon launching the PAM360 web-interface, the user has to enter the username and local authentication or AD/LDAP/Azure AD password to log in to PAM360 and click Login.
- Once the first level of authentication succeeds, PAM360 will generate a random password and email it to the user.
- The user has to fetch the password from the email and enter it as the second password.
- If the second authentication succeeds, the user will be allowed to view the PAM360 web interface.
Note: The second level password generated and sent by PAM360 is applicable only for that particular session of the web-interface. If the user logs out and tries to log in again, they will not be allowed to log in with the same password sent by email earlier. When the user logs in again, another new password will be sent to their email which they must use for authentication.
If You have Configured High Availability:
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) AND if you have configured high availability, you need to restart the PAM360 secondary server once.