×
×
×
×

Enable Two-Factor Authentication (TFA) in OS Deployer

Last Updated On 23 Dec 2025 |
10 minutes read |

Overview

Ensuring the security of enterprise environments is critical. Central Server provides robust Security & Authentication Settings to safeguard Central Server access, prevent unauthorized logins, and enforce strong password policies. This document outlines the key security features, including Two-Factor Authentication (TFA), User Account Policies, and Password Policies, ensuring that administrators can effectively manage and enhance security measures for User accounts.

Two-Factor Authentication (TFA)

In response to increasing cybersecurity threats, Central Server incorporates Two-Factor Authentication (TFA) to enhance security. This mechanism adds an additional layer of authentication beyond the standard username and password, ensuring that only authorized users can access the system.

To enable TFA, follow these steps:

  1. Log in to the Central Server.
  2. Navigate to the Admin tab.
  3. Select User under User Administration.
  4. Access Secure AuthenticationTwo-Factor Authentication.
  5. Enable authentication and choose a preferred authentication mode:
    • Email-based authentication: Refer to the Mail Server Configuration document for detailed setup instructions.
      Email-based authentication setup screen
    • Authenticator App (Zoho OneAuth, Google Auth, Microsoft Auth, or DUO Auth, etc).
      Authenticator App selection for Two-Factor Authentication
    • Save the settings and log out.
  • Email TFA: Upon the next login, users must enter the six-digit security code received via email.
  • Authenticator App TFA: Install the authenticator app on your smartphone and complete a one-time mapping of the Central server details by scanning the QR code displayed on the login page. Once mapped, use the OTP generated by the app as an additional security layer to log in. OTPs can be generated anytime using an authenticator app.

Here are the download links to a few commonly used authenticator apps:

If user wants to disable TFA temporarily:

  1. Open Run, search for "Services.msc" and stop your Central server service.
    Windows Services manager showing Central server service
    Stopping Central server service in Windows Services
  2. Open a command prompt in administrator mode, navigate to <Install_Dir>\bin directory and execute disableTFA.bat with the argument TempDisable. Example: disableTFA.bat <space> TempDisable.
    Command prompt running disableTFA.bat with TempDisable argument
  3. Enter the administrator username and password.
  4. Domain name if AD user (or) Press enter if local user.
  5. Now the TFA will be disabled and TFA Enforcement will be added with a grace period of 2 days.
    Two-Factor Authentication enforcement settings with grace period
  6. Start the Central Server service from Services.
Note
Note: To disable permanently Two-Factor Authentication, contact Support.

User Account Policy

In Central Server, user account policies are crucial for ensuring the security and management of user access to the system. These policies allow administrators to define various settings that regulate how user accounts are managed based on login attempts, inactivity, and session expirations.

Configuring User Account Policy

  1. Log in to the Central Server.
  2. Navigate to the Admin tab.
  3. Select User under User Administration.
  4. Access Secure AuthenticationUser Account Policy.
    User Account Policy configuration page

Configuration Options

Invalid Login Attempts:

This setting controls the number of unsuccessful login attempts before an action is triggered. Administrators can specify a limit on failed attempts and choose whether to disable or temporarily lock the account. Additionally, the lockout duration can be defined to prevent repeated unauthorized login attempts.

  • Specify the number of failed login attempts before action is taken.
  • Choose between disabling or locking the account.
  • Define the lockout duration.
    Lockout duration configuration settings

Domain Settings:

These settings manage how users authenticate within the system. Administrators can enable the Hide Domain List option, requiring users to manually enter their domain name for added security. The Default Domain for Authentication can also be set, allowing users to log in via Local Authentication, Active Directory.

  • Enable Hide Domain List to require manual domain entry during login.
  • Set the Default Domain for Authentication (e.g., Local Authentication).
    Default domain authentication settings

Account Inactivity:

To enhance security, accounts can be automatically disabled after a specified period of inactivity. This helps prevent the misuse of dormant accounts and ensures that only active users have access to the system.

  • Enable automatic account disablement after a specified period of inactivity.
    Automatic account disablement settings in Secure Authentication

Session Expiry Settings:

These settings define how long a user session remains active before requiring re-authentication. Idle Session Timeout can be enabled to log out inactive users automatically, reducing the risk of unauthorized access. Additionally, users may be allowed to configure their session expiration settings within administrator-defined limits.

  • Define session expiration duration for access.
  • Enable Idle Session Timeout to sign out inactive users automatically.
  • Allow users to configure expiration settings within defined limits.
    Expiration settings configuration screen

Save the Configuration:

  • Click Save to apply changes.
  • Click Cancel to discard modifications.

Password Policy

A password policy is essential for maintaining system security and preventing unauthorized access. Central Server allows administrators to enforce robust password requirements to enhance security across user accounts.

Implementing a Secure Password Policy

  1. Log in to the Central Server.
  2. Navigate to the Admin tab.
  3. Select User under User Administration.
  4. Access Secure AuthenticationPassword Policy.
    Password Policy settings in Secure Authentication

Configuration Options

  • Minimum Password Length: Define the minimum number of characters required.
  • Special Character Requirement: Specify the required number of special characters for password complexity.
  • Password History Restriction: Define the number of previously used passwords that cannot be reused.
  • Mandatory Password Updates: Enforce periodic password changes by specifying an update interval.
  • Backup Code Based Password Reset: Allow users to reset their passwords using a backup code when they cannot access their primary authentication method.
    • When enabled, users will be provided with a secure backup code, which can be used to reset their password.
    • When disabled, backup code will not be available for password recovery.
      Password Policy settings in Secure Authentication
  • Save the Configuration: Click Save to apply changes.

Conclusion

Implementing Two-Factor Authentication, User Account Policies, and Password Policies strengthens security and minimizes risks associated with compromised credentials. By following these guidelines, organizations can ensure a secure and controlled environment.

Was this document helpful?
Yes
No