Two-factor Authentication

Overview

Two-factor authentication (2FA) provides another layer of security to the Administrate TMS by requiring Users to input a verification code during the login flow.

Two-factor authentication will be enabled for all Users and once this setting is enabled, Users will be required to set up two-factor authentication the next time they sign in. 

Login Configuration

To enable two-factor authentication, you need to access the Login Configuration Icon on the Control Panel.

Within the Login Configuration page, you are presented with a number of Two-Factor Authentication methods:

1. Authenticator App - an authenticator app (eg. Google Authenticator) will provide a verification code for the User to complete the login process 
2. Email - an email with the verification code will be sent to the Users email address
3. SMS - a SMS message with the verification code will be sent to the Users mobile phone

You can configure all of the Two-Factor Authentication methods and allow the person logging in to choose the method that best suits their needs, or you can specify a particular method if you want to have a single Two-Factor Authentication method for all Users.

Considerations

It is possible to configure the email sending address by navigating to the Sending Address Icon on the Control Panel. You can set up a specific email address and then select it when you enable email 2FA.

You require a valid SMS Sending Address to be configured so that this option is displayed on the Login Configuration Screen. To configure a SMS number, navigate to the Sending Address Icon on the Control Panel, go to the SMS tab and set up your number. Once you have set it up, you can then select it when you enable SMS 2FA.

It is important to ensure that the Users Email Address and Phone number are correct and valid to allow a seamless authentication process.

Logging into the TMS

The login flow with 2FA is a common flow and once you have completed the Username and Password steps, you will be asked to verify your identity one more time. Examples of each of the 2FA methods are below:

Email

An email will be sent to the Users email address. They then need to copy the verification code and input it into the field shown. Once verified, the User will be successfully logged in. If the code has expired, then you can request a New Code to be sent out.

SMS

A SMS will be sent to the User's mobile phone number. They then need to copy the verification code and input it into the field shown. Once verified, the User will be successfully logged in. If the code has expired, then you can request a New Code to be sent out.

Authenticator App

You require an Authenticator App (eg. Google Authenticator) for this 2FA method. You will need to complete a one-time setup by scanning the QR code (example shown below) and registering the Account with your authenticator app. Once you have completed this process, the authenticator app will provide you with a verification code and you will need to copy the verification code and input it into the field shown. Once verified, the User will be successfully logged in. 

What if a User is not able to login?

If a User is locked out of the TMS and can't sign in or they do not have access to email, SMS, or an Authenticator App, a Super User can deactivate the 2FA method for that user.

• Locate the User icon on the Control Panel
• Select the User that is unable to complete the 2FA login flow
• Click on the Deactivate & Re-Enroll on Next Sign-in button (see below)
• The User will now need to choose and enroll in their preferred 2FA method.

If the email or the phone number is incorrect; please contact the Superuser for your team and ask to have your details updated

Reporting

In Reporting Engine, create a Report with entity type User. You can output information for your Users to identify what type of 2FA have they go enabled on the TMS.