Two-Factor Authentication

(Versions 7+)

Pleasant Password Server supports a variety of Two-Factor Authentication methods.

Two-Factor Authentication is an extra layer of security in addition to the standard login of username/password. Other similar topics which are included here are: Multi-Factor Authentication (MFA) or Two Step Verification (2SV).

In general, these factors are available for all software clients.

  1. Have Questions?  Contact Us!

Supported Providers

Here is a list of Supported Providers with links to any Configuration guides. Each type of Two Factor Provider has special configuration requirements:

3rd Party Integration

Other Factors of Authentication are possible when integrating with SAML Single Sign-On, for example:

Authenticator Apps

These mobile apps provide one-time 6 digit verification codes and can be used to further secure your server account, for example, Google 2-Step Verification:

Notes: All of these, and any alternative app, uses an industry standard algorithm Time-based One-Time Password algorithm (TOTP).

Biometrics

Client Certificates

Email Authentication

Network Resource

Note: All of these use the RADIUS Provider workflow, with PAP, CHAP, or MS-CHAPv2 protocols.

Physical Devices

Notes: These use the Yubico OTP protocol.

Enabling Two-Factor Authentication

Two-Factor Authentication (2FA) can be enabled for your users by:

Bulk User Enrollment

Administrators can setup all users with self-enrollment into Two-Factor Authentication:

Enroll a Single User

Administrators can enroll a single user with Two-Factor Authentication:

Reset Two-Factor Secret

Administrators can reset a user's secret from the User's Details -> Configure screen, by clicking either:

Storing 2FA Backup Codes

Password Server generates a unique secret for each individual: a 2FA code which the user synchronizes with their mobile device.

This 2FA code can be saved / copied / stored in another secure location, so that if a mobile device is lost the 2FA secret is still available to the user.

It is usually not recommended to store the 2FA secret (used to authenticate into Password Server) into the same server, because it then turns the two-factor into a single factor!

However, some may require 2FA for integration with other applications. 

Some Authenticator apps, such as Authy, have a Backup 2FA feature which can automatically synchronize the secret to a backup. Depending on your security needs, this can provide convenience and remove a worry of losing the secret, however the secret is synchronized to a cloud location.

Two-Factor Policy Configuration

2FA configuration details are found on the Policy, in the Two-Factor Policy section.

Status
Browser Remember Flag

Users should only check this option when signing in from secure browsers.

Two-Factor Providers

Note: The list of Two Factor Providers are displayed once the policy is created.

The following options are common to all two factor provider configurations.

Enabled

Each available Two-Factor Authentication provider can be enabled or disabled on a per-policy basis. Some Two Factor Providers are easy for the user to configure and enable, making them good choices to enable for optional protection. Other Two Factor Providers must be configured and managed by an administrator. See the descriptions of each Provider to help you select which ones are right for your security needs.

User Can Disable Provider

In a policy where 2FA is optional, this option should be enabled. This will allow the user to enable or disable their preferred Two Factor Provider(s) on their account management page. For policies requiring mandatory (and often administration configured) 2FA, unchecking this option will prevent the user from disabling the Two Factor Provider.

Google Authenticator

Generates a new security code every 30 seconds. Uses the Google Authenticator app available for Apple and Android.

See also: Setting Up Google Authenticator & User Enrollment

Service Name:

User Can Generate Code:

User Can Disable Provider: 

User Can Self-Enroll in this Provider

YubiKey

The standard YubiKey Two Factor Provider connects to a remote server, either the YubiCloud authentication service or another YubiKey Verification Server. By default, all YubiKeys are shipped ready to verify against the YubiCloud service.

User Can Configure Provider:

User Can Disable Provider: 

Client ID & API Key:

Server URLs

YubiKey Embedded Server

This specialized YubiKey Two-Factor Authentication Provider allows connecting to a local database, without having to connect with an external verification service.

This Two Factor Provider requires significantly more administration and cannot be configured by users directly.

To use this provider you must customize the YubiKey(s) using the YubiKey personalization software (https://www.yubico.com/products/services-software/personalization-tools/) with custom secret values. These values must then be entered into each user's configuration by an administrator.