Setting Up Two Factor Authentcation - Google Authenticator
Google Authenticator is a software-based authentication token developed by Google. The token provides an authenticator, which is a six digit number users must enter as the second factor of authentication.
You need to install the Google Authenticator app on your smart phone or tablet devices. It generates a six-digit number, which changes every 30 seconds. With the app, you don’t have to wait a few seconds to receive a text message. Here’s how to set up and use the Google Authenticator app with your Google account, along with a few other well-known sites.
Following is the sequence of events involved in using Google Authenticator as the second factor:
- A user tries to access Password Manager Pro web-interface.
- Password Manager Pro authenticates the user through Active Directory or LDAP or locally (first factor).
- Password Manager Pro prompts for the second factor credential through Google Authenticator.
- Enter the six-digit token that you see on the Google Authenticator app GUI.
- Password Manager Pro grants the user access to the web-interface.
Summary of steps:
- Configuring two factor authentication in Password Manager Pro.
- Enforcing two factor authentication for required users.
Step 1: Configuring two factor authentication in Password Manager Pro
- Navigate to Admin >> Authentication >> Two-factor Authentication.
- Choose the option "Google Authenticator".
- Click "Save".
Step 2: Enforcing two-factor authentication for required users
In Step 1 above, you have chosen 'Google Authenticator' for two factor authentication. Now, you need to apply two factor authentication for the required users.
To enforce two factor authentication for a user,
- Navigate to "Users" tab. Select the desired users for whom two-factor authentication is to be activated.
- Next, click on "More Actions" button at the top of the users list and select "Set Two-factor Authentication" from the dropdown.
- In the UI that opens, confirm the list of your selected users one more time.
- Once you're done, click "Enable" to activate TFA for the desired users.
How to connect to Password Manager Pro web interface when TFA via Google Authenticator is enabled?
To make use of google authenticator as the second factor of authentication, you should first install Google Authenticator app in your smart phone or tablet. Google officially supports Android, iPhone, iPad, iPod Touch and BlackBerry devices. Detailed instructions to install the Google Authenticator app is available in Google's website.
Connecting to Password Manager Pro web interface
The users for whom two factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Password Manager Pro's local authentication or AD/Azure AD/LDAP authentication. If the administrator has chosen the TFA option "Google Authenticator", the two factor authentication will happen as detailed below:
- Upon launching the Password Manager Pro web-interface, the user has to enter the username and local authentication or Azure AD/AD/LDAP password to log in to Password Manager Pro and click "Login".
- Associating Google Authenticator with your account in Password Manager Pro: When you are logging in for the first time after enabling TFA through Google Authenticator, you will be prompted to associate it with your account in PMP. You need to first launch the Google Authenticator app in your mobile device/tablet and choose the '+' button. Then, select 'Scan Barcode' and point your device to the barcode shown in the GUI such as the image displayed below. This will automatically configure Google Authenticator to start generating authentication codes for Password Manager Pro.
- After completing this, you can enter the current token for authentication in the text box.
Note: If you had trouble scanning the barcode, the automatic setup will not work. Alternatively, you can carry out the following manual steps in the Google Authenticator app in your device:
- Choose 'Time Based' for your token (this is the default selection in the app).
- Supply an identifier for your PMP account in this format - PMP:
(for ex. PMP:firstname.lastname@example.org).
- Supply the alphanumeric string as the key and select 'Done'.
- Google Authenticator is now setup and it will start generating codes periodically for
. Enter the current code to continue logging into PMP : ______ [Submit]
As mentioned earlier, the Google Authenticator is associated with your Password Manager Pro account. If you ever lose your mobile device/tablet OR if you accidentally delete the Google Authenticator app on your device, you will still be able to get tokens to log in to Password Manager Pro. In such scenarios, just click the link "Have trouble using Google Authenticator?" in the Password Manager Pro login screen. You will be prompted to enter your Password Manager Pro username and the email address associated with Password Manager Pro. You will receive instructions to get Google Authenticator again.
If you have configured High Availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) AND if you have configured high availability, you need to restart the Password Manager Pro secondary server once.