Setting up Two-factor authentication - Google Authenticator
Google Authenticator is a software-based authentication token developed by Google. The token provides an authenticator, which is a six digit number users must enter as the second factor of authentication.
You need to install the Google Authenticator app on your smart phone or tablet devices. It generates a six-digit number, which changes every 30 seconds. With the app, you don’t have to wait a few seconds to receive a text message. Here’s how to set up and use the Google Authenticator app with your Google account, along with a few other well-known sites.
Following is the sequence of events involved in using Google Authenticator as the second factor:
- A user tries to access Password Manager Pro web-interface.
- Password Manager Pro authenticates the user through Active Directory or LDAP or locally (first factor).
- Password Manager Pro prompts for the second factor credential through Google Authenticator.
- Enter the six-digit token that you see on the Google Authenticator app GUI.
- Password Manager Pro grants the user access to the web-interface.
Summary of steps:
- Configuring two-factor authentication in Password Manager Pro.
- Enforcing two-factor authentication for required users.
Step 1: Configuring two-factor authentication in Password Manager Pro
- Navigate to Admin >> Authentication >> Two-factor Authentication.
- Choose the option "Google Authenticator".
- Click "Save".
- Then, click on Confirm to enforce Radius Authenticaor as the second factor of authentication.
Step 2: Enforcing two-factor authentication for required users
- Once you confirm Google Authenticator as the second factor of authentication in the previous step, a new window will prompt you to select the users for whom two-factor authentication should be enforced.
- You can enable or disable two-factor authentication for a single user or multiple users in bulk from here. To enable two-factor authentication for a single user, click on the 'Enable' button beside their respective username. For multiple users, select the required usernames and click on 'Enable' at the top of the user list. Similarly, you can also 'Disable' two-factor authentication from here.
- You can also select the users later by navigating to Users >> More Actions >> Two-factor Authenitcation.
How to connect to Password Manager Pro web interface when TFA via Google Authenticator is enabled?
To make use of google authenticator as the second factor of authentication, you should first install Google Authenticator app in your smart phone or tablet. Google officially supports Android, iPhone, iPad, iPod Touch and BlackBerry devices. Detailed instructions to install the Google Authenticator app is available in Google's website.
Connecting to Password Manager Pro web interface
The users for whom two-factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through Password Manager Pro's local authentication or AD/Azure AD/LDAP authentication. If the administrator has chosen the TFA option "Google Authenticator", the two-factor authentication will happen as detailed below:
- Upon launching the Password Manager Pro web-interface, the user has to enter the username and local authentication or Azure AD/AD/LDAP password to log in to Password Manager Pro and click "Login".
- Associating Google Authenticator with your account in Password Manager Pro: When you are logging in for the first time after enabling TFA through Google Authenticator, you will be prompted to associate it with your account in PMP. You need to first launch the Google Authenticator app in your mobile device/tablet and choose the '+' button. Then, select 'Scan Barcode' and point your device to the barcode shown in the GUI such as the image displayed below. This will automatically configure Google Authenticator to start generating authentication codes for Password Manager Pro.
- After completing this, you can enter the current token for authentication in the text box.
Note: If you had trouble scanning the barcode, the automatic setup will not work. Alternatively, you can carry out the following manual steps in the Google Authenticator app in your device:
- Choose 'Time Based' for your token (this is the default selection in the app).
- Supply an identifier for your PMP account in this format - PMP:
(for ex. PMP:firstname.lastname@example.org).
- Supply the alphanumeric string as the key and select 'Done'.
- Google Authenticator is now setup and it will start generating codes periodically for <PMP:user@mailid>. Enter the current code to continue logging into PMP : ______ [Submit]
As mentioned earlier, the Google Authenticator is associated with your Password Manager Pro account. If you ever lose your mobile device/tablet OR if you accidentally delete the Google Authenticator app on your device, you will still be able to get tokens to log in to Password Manager Pro. In such scenarios, just click the link "Have trouble using Google Authenticator?" in the Password Manager Pro login screen. You will be prompted to enter your Password Manager Pro username and the email address associated with Password Manager Pro. You will receive instructions to get Google Authenticator again.
If you have configured High Availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or RADIUS or Duo) AND if you have configured high availability, you need to restart the Password Manager Pro secondary server once.