Two-factor authentication (2FA) provides another layer of security to the Administrate TMS by requiring Users to input a verification code during the login flow.
Two-factor authentication will be enabled for all Users and once this setting is enabled, Users will be required to set up two-factor authentication the next time they sign in.
Within the Login Configuration page, you are presented with several Two-Factor Authentication methods:
- Authenticator App — an authenticator app (e.g., Google Authenticator) will provide a verification code for the User to complete the login process
- Email — an email with the verification code will be sent to the User's email address
- SMS — an SMS message with the verification code will be sent to the User's mobile phone
You can configure all the Two-Factor Authentication methods and allow the person logging in to choose the method that best suits their needs. Or you can specify a particular method if you want to have a single Two-Factor Authentication method for all Users.
You require a valid SMS Sending Address to be configured so that this option is displayed on the Login Configuration Screen. To configure an SMS number, navigate to the Sending Address Icon on the Control Panel, go to the SMS tab, and set up your number. Once you have set it up, you can then select it when you enable SMS 2FA.
It is important to ensure that the User's Email Address and Phone number are correct to allow a seamless authentication process.
Logging into the TMS
The login flow with 2FA is common and once you have completed the Username and Password steps, you will be asked to verify your identity one more time. Examples of each of the 2FA methods are below:
An email will be sent to the User's email address. They then need to copy the verification code and input it into the field shown. Once verified, the User will be successfully logged in. If the code has expired, then you can request a New Code to be sent out.
An SMS will be sent to the User's mobile phone number. They then need to copy the verification code and input it into the field shown. Once verified, the User will be successfully logged in. If the code has expired, then you can request a New Code to be sent out.
You require an Authenticator App (e.g., Google Authenticator) for this 2FA method. You will need to set it up once by scanning the QR code (example shown below) and registering the Account with your authenticator app. Once you have completed this process, the authenticator app will provide you with a verification code, and you will need to copy the verification code and input it into the field shown. Once verified, the User will be successfully logged in.
What if a User is not able to log in?
If a User is locked out of the TMS and can't sign in, or they do not have access to email, SMS, or an Authenticator App, a Super User can deactivate the 2FA method for that user.
- Locate the User icon on the Control Panel
- Select the User that is unable to complete the 2FA login flow
- Click on the Deactivate & Re-Enroll on Next Sign-in button (see below)
- The User will now need to choose and enroll in their preferred 2FA method.
If the email or the phone number is incorrect, get in touch with the Superuser for your team and ask to have your details updated.
In Reporting Engine, create a Report with entity type User. You can output information for your Users to identify what type of 2FA they have enabled on the TMS.