(Feature available only in Premium and Enterprise Editions)
Google Authenticator is a software based authentication token developed by Google. The token provides an authenticator, which is a six digit number users must enter as the second factor of authentication.
You need to install the google authenticator app on your smart phone or tablet devices. It generates a six-digit number, which changes every 30 seconds. With the app, you don’t have to wait a few seconds to receive a text message. Here’s how to set up and use the Google Authenticator app with your Google account, along with a few other well-known sites.
Following is the sequence of events involved in using Google Authenticator as the second factor:
- A user tries to access PMP web-interface
- PMP authenticates the user through Active Directory or LDAP or locally (first factor)
- PMP prompts for the second factor credential through Google Authenticator
- Enter the six-digit token that you see on the Google Authenticator GUI
- PMP grants the user access to the web-interface
Enabling Google Authenticator
PMP administrators can set up two factor authentication (with Google Authenticator as the second factor) as explained below:
Summary of Steps
- Setting up two factor authentication in PMP
- Enforcing two factor authentication for required users in PMP
Step 1: Setting up Two Factor Authentication in PMP
The first step is to enable two factor authentication. To do that,
- Go to "Admin" tab and click "Two Factor Authentication"
- Choose the option "Google Authenticator"
- Click "Save"
Step 2: Enforcing Two Factor Authentication for Required Users
In step 1 above, you have chosen Google Authenticator as the option for two factor authentication. After choosing this option, you need to apply two factor authentication for the required users. You can do this from the GUI that pops-up upon clicking "Save' button in step 1 above. Alternatively, you can do this as explained below:
To enforce two factor authentication for a user,
- Go to "Admin" >> "Users"
- Click the button "Set 2-factor authentication"
- Click "Save"
How to connect to PMP Web-Interface when TFA through Google Authenticator is Enabled?
To make use of google authenticator as the second factor of authentication, you should first install Google Authenticator app in your smart phone or tablet. Google officially supports Android, iPhone, iPad, iPod Touch and BlackBerry devices. Detailed instructions to install the Google Authenticator app is available in Google's website.
Connecting PMP Web-Interface
The users for whom two factor authentication is enabled, will have to authenticate twice successively. As explained above, the first level of authentication will be through the usual authentication. That is, the users have to authenticate through PMP's local authentication or AD/LDAP authentication.
When TFA is enabled, the login screen will ask for the username alone in the first UI. The users will be prompted to enter the passwords only in the second step.
TFA using Google Authenticator - Workflow
If the administrator has chosen TFA throgh Google Authenticator, the two factor authentication will happen as detailed below:
- Upon launching the PMP web-interface, the user has to enter the username to login to PMP and click "Login"
Associating Google Authenticator with your account in PMP
- When you are logging in for the first time after enabling TFA through Google Authenticator, you will be prompted to associate it with your account in PMP. You need to first launch the Google Authenticator app in your mobile device/tablet and choose the '+' button. Then select 'Scan Barcode' and point your device to the barcode shown below. This will automatically configure Google Authenticator to start generating authentication codes for PMP.
- After completing this, you can enter the current token for authentication in the text box
Google Authenticator Token - Sample
Important Note: If you had trouble scanning the barcode, the automatic setup will not work. Do the following manual steps in the Google Authenticator app in your device:
- Choose 'Time Based' for your token (this is the default selection in the app)
- Supply an identifier for your PMP account in this format - PMP:<your email id in PMP> (for ex. PMP:firstname.lastname@example.org)
- Supply the alphanumeric string as the key and select 'Done'
- Google Authenticator is now setup and it will start generating codes periodically for <PMP:user@mailid>. Enter the current code to continue logging into PMP : ______ [Submit]
From the next time onwards, you will be prompted to enter the token alone as shown below:
As mentioned earlier, the Google Authenticator is associated with your PMP account. If you ever lose your mobile device/tablet OR if you accidentally delete the Google Authenticator app on your device, you will be able to get tokens to login to PMP. In such scenarios, just click the link "Have trouble using Google Authenticator?" in the PMP login screen. You will be prompted to enter your PMP username and the email address associated with PMP. You will receive instructions to get Google Authenticator again.
If you have configured High Availability
Whenever you enable TFA or when you change the TFA type (PhoneFactor or RSA SecurID or One-time password or Google Authenticator) AND if you have configured high availability, you need to restart the PMP secondary server once.