Two Factor Authentication (2FA)

What is it?

The Two Factor Authentication (2FA) is a feature used for account security protection that allows users to use an authenticator app (such as Google Authenticator, Microsoft Authenticator) that supports TOTP (Time-based One-time Password).

How and When to use it?

When the 2FA setting is On, the user should register their account with the installed authenticator app (e.g. Google Authenticator) before entering the system.

There are three scenarios when enabling this feature. 

1. For web users who are not registered, they will be redirected to the setup page when having any API calls. 

2. For mobile users who are not registered, all tokens for logged in accounts are cleared. 

3. For mobile users with the old app, the system will handle it as wrong password flow.

First Time Registration

When users who have not set up the Authenticator App try to login the system, the system will redirect them to the setup page. The setup two-factor authentication page contains the relevant QR code and a key for the user's further action.

The user needs to use an authentication app (such as Google Authenticator) to scan the QR code or type the Key displayed on the screen. After that, there will be a verification code (usually 6 digits, but the number of digits is not limited) on the screen of the authentication app.

The user needs to enter this verification code and click the ‘Verify’ button. If the user enters the wrong code, there will be a pop-up error message “Incorrect verification code”.

If registration is successful, a successful popup will be displayed. The popup window will stay for 5 seconds to inform users of the current status. The user can either click the “Login Now” button or wait for 5 seconds and then will be logged out and redirect back to the login screen.

Login an account with registered authenticator app

1. Website user

After registering the authenticator app, the user enters the account and password to login the system. If the user has multiple subscribers, select the subscriber first. 

There will be a popup window ‘Two-Factor Authentication’ for the user to enter the verification code which can be found on the authenticator app.

If the user enters the wrong verification code, there will be an error message “Incorrect verification code”. One wrong password attempt will be counted.

If the entered verification code is correct but the password is incorrect, it will return to the login screen showing the incorrect password message (If the user has multiple subscribers, it will return to the confirm password page). One wrong password attempt will be counted. If the number of password attempts has been exceeded, the user should reset the password.

If both the code and password are entered correctly, it will continue the current login flow.

2. iOS user

The user can enter the account and password at the Sign in page. If there are multiple subscribers, choose the subscriber first.

For a user that the Authenticator App is Not Set, it will prompt an alert and redirect the user to the web login page using the default browser. If the Authenticator App is already configured, the user will be redirected to the Two-Factor Authenticator page to enter the verification code. 

If both the code and password are entered correctly, it will continue the current login flow.

If the entered verification code is incorrect, there will be a pop up window with error message “Incorrect Verification Code”, after clicking the “OK” button, it will return to the login screen. One wrong password attempt will be counted.

If the user enters the wrong password, it will stay on the page of “Choose Organization” and cannot proceed to the next step.

3. Android user

The user can enter the account and password at the Sign in page. If there are multiple subscribers, choose the subscriber first.

For a user that the Authenticator App is Not Set, it will prompt an alert and redirect the user to the web login page using the default browser. If the Authenticator App is already configured, the user will be redirected to the Two-Factor Authenticator page to enter the verification code. 

If both the code and password are entered correctly, it will continue the current login flow.

If the entered verification code is incorrect, there will be a pop up window with error message “Incorrect Verification Code”, after clicking the “OK” button, it will return to the login screen. One wrong password attempt will be counted. 

If the user enters the wrong password, it will stay on the page of “Choose Organization” and cannot proceed to the next step. If the number of password attempts has been exceeded, there will be a popup window with an error message, indicating that the user should reset the password.

How to configure it?

The 2FA can be configured on / off for the entire subscriber and all types of users in Subscriber Management Tools. 

The Authenticator App should support the Time-based One-time Password (TOTP) algorithm. The verification code from TOTP has a default 30s interval. When checking the validity of the verification code, we accept both T-30s / T / T+30s (i.e. 3 TOTPs). Authenticator registration could only be reset by Root Administrators and HRs in the Admin Panel. If the user is using through Open API, all 2FA flow will not happen.

Settings in Admin Panel

Root Administrators and HRs can go to the Admin Panel. Mouse over the settings button on the upper right corner of the screen and click the “Admin Panel” to open it.

At the User List page, the user can see and select the user type. The function column contains six icons and whether the user has registered on the Authenticator App or not can be seen here. The fifth icon represents the Two-Factor Authentication. An illuminated fifth icon indicates that the user has completed the registration.

Click the user name to open the details page. If the user has registered, there will be a green “Register” status indicator and a red button “Reset” in the Two-Factor Authentication section on this Users page. If the status is “Not Set”, the “Reset” button should not appear.