Two-Factor Authentication   

    Two-factor Authentication (2FA) provides an extra layer of security for your users by mandating an additional mode of authentication along with regular passwords. 

     

    Role required: SDAdmin

     

    Supported Additional Authentication Modes

     

    Email verification: Users will be required to verify an authentication code received via email.

    Google Authenticator: Users will be required to verify a time-based OTP (TOTP) generated by Google Authenticator app.

     

    note

    Note:

    SDAdmin can enable/disable any or all of the supported additional authentication modes.


    Once enabled, users have to enroll for the additional authentication mode during their first-time login. To learn more about enrollment, click here.


    Configuring Two-Factor Authentication   

    1. Go to Admin>>General Settings>>Two Factor Authentication.

    2. Use the toggle button to enable two-factor authentication.

    3. Under Settings, enable/disable backup codes using the toggle and do one or both of the following.

      • Enabling Email verification

        note

        Note:

        The outgoing mail server must be configured for email verification mode. To learn more about mail server configuration, click here.

         


        1. Click Email verification to expand the section and then use the toggle to enable the mode.

        2. Finally, click Save.

        3. Compose the email template to be used for sending the verification code with the appropriate subject and message body. Use the variable $secretCode in the message body. This variable is replaced with a unique code each time the email is sent to the users.

     

      • Enabling Google Authenticator  

        1. Click Google Authenticator to expand the section.

        2. Use the toggle to enable the mode.


     

     

    note

    Note:

    • In email verification mode, the $secretCode variable is mandatory to generate the verification code.

    • Backup codes can be enabled only when one of the authentication modes is enabled.

    • Enabling backup verification code allows users to view, download, or generate codes that can be used as an alternative to any of the authentication modes. To know more, click here

      

    Enrolling for Two-Factor Authentication  

    On enabling two-factor authentication, users logging into the application for the first time must enroll themselves by following the steps given here.

    note

    Note:

    Users configured with a valid email address will be auto-enrolled and can skip this step.  

     

    Enrolling for email verification mode

    1.  Go to the login page, and provide the username and password.

    2. In the enrollment form, choose Email Verification and click Next.


       

    3. Enter your email address and click Send Code.


       

    4. Enter the verification code as received in your email to log in to the application.



     

     

    Enrolling for Google Authenticator mode

    1. Go to the login page, and provide your username and password.

    2. In the enrollment form, choose Google Authenticator and click Next.

    3. Using your Google Authenticator mobile app (Android/iOS), scan the QR code.



      Alternatively, you can obtain the secret key by invoking the Click here option below the QR code and enter it in your Google Authenticator app.

    4. Now, enter the time-based OTP from Google Authenticator app into the textbox and click Verify code to log in to the application.

     

    You can check the Trust this browser option to avoid the second verification for a period of 180 days.

     

    If you have trouble verifying with any of the modes, you can use backup codes.  

     

    You can manage trusted browsers, modify mode, view, download, or generate backup codes from the user panel. Click here to learn more.

     

    Managing Enrolled Users

    You can manage users who have enrolled for two-factor authentication under the Enrolled User tab. Here you can view details such as username, domain name, and authentication type, or delete user enrollment.

    • To access it, go to Admin>>General Settings>>Two Factor Authentication.

    • To delete user enrollment, select one or more users and click Delete.

     

     

    Zoho Corp. All rights reserved.