Two Factor Authentication in OpManager

Two Factor Authentication (TFA) provides an additional level of authentication and improves security by requiring the user to provide a unique time-based one time password (TOTP) generated through Authenticator Apps, or as a one time password (OTP) sent to the user's configured Email address. TFA strengthens authentication and prevents unauthorized access.

Note: This feature is available from OpManager version 125415.

Click here for troubleshooting steps.

Steps to configure TFA in OpManager:

  1. Go to Settings - > General Settings -> Authentication -> Two Factor Authentication.
  2. Select the "Enable Two Factor Authentication (TFA)" option.
  3. Choose the desired Authentication Mode: Authenticator Apps (TOTP via Authenticator apps including but not limited to Google Authenticator, Microsoft Authenticator, Duo etc.) or Email Authentication (OTP sent to the user's configured Email address).

    Note: Mail Server Settings need to be configured for the Email Authentication Mode.

  4. Enter the number of days you want to allow the User's browser to be trusted for. That is, the User won't be required to provide TOTP/OTP while logging in on that browser for the specified number of days. This will be applicable if the user selects the check box to trust the browser during login.
  5. Click 'Save'.

    Note: If 'Authenticator Apps' is chosen as the mode of Authentication, all users will be prompted to set up their Authenticator app during their next login.

    If Authenticator Apps is the chosen mode of Authentication:

  6. During next login, install and follow the steps shown on screen to configure your desired Authenticator app on your mobile device.
  7. Enter the OTP generated in the Authenticator app/Email to login.

Troubleshooting steps:

  • In the case of TOTP based authentication,
    • Since TOTP is time based, the time in the configured mobile device must be in sync with the server time.
    • In the event that a new TOTP secret is required due to the loss of the mobile device configured or for any other such reason, the Admin User can go to Settings -> General Settings -> Authentication and click on the 'Reset TOTP secret' icon under 'Actions' for the respective User.
    • If the default 'admin' user is unable to login to the product, and has lost the configured mobile device, contact our support at opmanager-support@manageengine.com to reset the TOTP secret for the default 'admin' user.
  • In the case of Email based authentication,
    • When the mode of Authentication is chosen as 'Email' then the OTP will be sent via Email to the User's configured Email ID. So please ensure that you have configured the correct Email ID. The admin user has the privileges to configure the correct Email ID, if the configured Email ID was not correct.
    • If the users are unable to receive the OTP via Email due to change in mail server configuration, contact support at opmanager-support@manageengine.com to disable TFA.

For any further queries, kindly reach out to opmanager-support@manageengine.com.