Difference between revisions of "Multifactor Authentication"
Jrobertson (talk | contribs) |
|||
Line 177: | Line 177: | ||
How this works is that once the setting is enabled, any user who does not have MFA enabled, will not be allowed to access any service until MFA is turned on.<br> | How this works is that once the setting is enabled, any user who does not have MFA enabled, will not be allowed to access any service until MFA is turned on.<br> | ||
When users without MFA enabled try to access any service, they will be shown a screen similar to this<br>[[File:Enforced_MFA.PNG]]<br> | When users without MFA enabled try to access any service, they will be shown a screen similar to this<br>[[File:Enforced_MFA.PNG]]<br> | ||
− | Clicking on | + | Clicking on '''Click here to enable Mutlifactor Authentication''' will take users to the CloudworkID Page where they can enabled MFA.<br> |
From here users can enable MFA via [https://wiki.studentnet.net/index.php/Multifactor_Authentication#Set_MFA_with_an_Authenticator_App_with_QR_code App with QR Code], [https://wiki.studentnet.net/index.php/Multifactor_Authentication#Set_MFA_with_an_Authenticator_App_with_setup_key App with Setup Key] or, [https://wiki.studentnet.net/index.php/Multifactor_Authentication#Set_MFA_with_an_Authenticator_App_with_QR_code SMS] | From here users can enable MFA via [https://wiki.studentnet.net/index.php/Multifactor_Authentication#Set_MFA_with_an_Authenticator_App_with_QR_code App with QR Code], [https://wiki.studentnet.net/index.php/Multifactor_Authentication#Set_MFA_with_an_Authenticator_App_with_setup_key App with Setup Key] or, [https://wiki.studentnet.net/index.php/Multifactor_Authentication#Set_MFA_with_an_Authenticator_App_with_QR_code SMS] | ||
Revision as of 03:53, 16 November 2022
Contents
- 1 Multifactor Authentication (MFA)
- 2 Activating MFA
- 3 Set MFA with an Authenticator App with QR code
- 4 Set MFA with an Authenticator App with setup key
- 5 Set MFA with SMS
- 6 Enabling MFA Whitelist
- 7 MFA for SSO
- 8 Trusted device
- 9 Disabling Trust Device
- 10 Enabling users to Manage MFA
- 11 Allow users to disable MFA
- 12 MFA without storing a mobile phone number
- 13 Enable MFA for users as an admin
- 14 Advice
Multifactor Authentication (MFA)
The purpose of using MFA is it adds another method of verification, increasing security. Users will need to input a code well as their username and password when trying to login to a service.
For school's wishing to use Multifactor Authentication and are not getting a prompt for a code, lodge a ticket at support website requesting for Multifactor to be enabled.
Activating MFA
- Login to dashboard
- Navigate to Users
- Either select a user or create a new user
- Navigate to Recovery Details and click Edit
- Add a valid phone number into Recovery Phone field
- Click submit
- Navigate to Security and click Turn On
- Click yes,enable Multifactor
Notes
- To be done as an administrator
Set MFA with an Authenticator App with QR code
By using an Authenticator App instead on SMS will allow users to log in if there is no reception for their phone to retrieve code via SMS
- Go to your school's Cloudwork.ID (looks like https://<schoolname>-id.cloudworkengine.net)
- Navigate to the top right of the site where your name is
- Click Settings
- In Mulftifactor Authentication click Add Authenticator App
- Using Google Authenticator click on the bottom right, the plus sign
- Click Scan a QR code
- Point the camera to the QR code so the red lines line up with the QR code on your school's Cloudwork.ID
- Input code that is shown on Google Authenticator, to your school's Cloudwork.ID
Notes
- To be done as an individual user
- Users do not need to use Google Authenticator App, there are other apps such as Microsoft Authenticator and Authy 2-Factor Authentication
Set MFA with an Authenticator App with setup key
By using an Authenticator App instead on SMS will allow users to log in if there is no reception for their phone to retrieve code via SMS
- Go to your school's Cloudwork.ID (looks like https://<schoolname>-id.cloudworkengine.net)
- Navigate to the top right of the site where your name is
- Click Settings
- In Mulftifactor Authentication click Add Authenticator App
- Next to Camera not working? click here and click show. This will reveal setup key.
- Using Google Authenticator click on the bottom right, the plus sign
- Click Enter a setup key
- Enter the setup key into Google Authenticator
- Input code that is shown on Google Authenticator, to your school's Cloudwork.ID
Notes
- To be done as an individual user
- Users do not need to use Google Authenticator App, there are other apps such as Microsoft Authenticator and Authy 2-Factor Authentication
Set MFA with SMS
Setting MFA using SMS, will have a one-time code be sent to the user's phone which will allow the user access through MFA
- Go to your school's Cloudwork.ID (looks like https://<schoolname>-id.cloudworkengine.net)
- Navigate to the top right of the site where your name is
- Click Settings
- In Mulftifactor Authentication click Add a phone
- Input your phone number
- Wait for an SMS to come through from Cloudwork
- On the SMS is a code, input the code onto the Cloudwork.ID page
Notes
- To be done as an individual user
Enabling MFA Whitelist
Using MFA Whitelist for your school's Ip address range will allow users logging in, inside the school to not have to go through MFA. But logging in outside school will have the user go through MFA
- Login into your school's dashboard
- Click the menu bar>settings>CloudworkID Settings
- Navigate to Features and click Edit
- Navigate to Multifactor Authentication Whitelist
- Enter into the field your school's Ip address or Ip address range
Notes
- To be done as an administrator
MFA for SSO
SSO Services can be set to only allow users to log in if they have MFA enabled.
- Login to your school's dashboard
- Navigate to SSO > "Service of choice" > SAML Config Settings > Edit
- Select the option you want from the Multifactor Authentication dropdown box
Trusted device
As a feature of Multifactor, Users have the option when logging in to select I trust this device, don't ask again. This means for the next 30 days the user will not have to use a code for MFA.
Disabling Trust Device
This feature can disable any user from having the option to trust a device.
- Login into your school's dashboard
- Click the menu bar>settings>CloudworkID Settings
- Navigate to Features and click Edit
- Navigate to Enable Trusted Devices
- Select the option Do not let users trust device
Enabling users to Manage MFA
This features allows users manage their own MFA setting such as adding their own phone number or app for MFA.
- Login into your school's dashboard
- Click the menu bar>settings>CloudworkID Settings
- Navigate to Features and click Edit
- Under Multifactor Authentication, select from the drop down Users can manage multifactor authentication
Allow users to disable MFA
This feature allows users to Turn MFA off for themselves.
- Login into your school's dashboard
- Click the menu bar>settings>CloudworkID Settings
- Navigate to Features and click Edit
- Under Disable Multifactor, select from the drop down Users can disable multifactor authentication
MFA without storing a mobile phone number
- login to the CloudworkID service
- Select Update Recovery Settings
- Supply a valid mobile phone number and click Submit
- Enter the verification code and click Submit
- Click Turn on underneath MFA
- Enter the verification code and click Submit
- Click Add Authenticator App
- On your phone, scan the QR code. Then enter the verification code and click Submit
- Click the trash icon next to Text Message to .....
- Click Delete to confirm
- Click Update recovery settings
- Clear the form field for Recovery Phone and click submit
The user now has MFA operating, without having their personal mobile tied to their account.
Enable MFA for users as an admin
Enable MFA for SMS via admin
- Login as an admin to the Cloudwork Dashboard
- Navigate to Users and click intended user
- Under Security click Enable SMS
- If a recovery phone number is not set, one will need to be entered
- If a recovery phone number is already entered MFA for SMS will be activated
Enable MFA for Authenticator App via admin by scanning QR code
By enabling MFA for Authenticator App via admin, users can have MFA operating, without having their personal mobile tied to their account.
- Login as an admin to the Cloudwork Dashboard
- Navigate to Users and click intended user
- Under Security click Enable App
- Open up the Authenticator App and scan the QR code
- Enter the code and MFA for Authenticator App will be activated
Enable MFA for Authenticator App via admin by entering setup key
By enabling MFA for Authenticator App via admin, users can have MFA operating, without having their personal mobile tied to their account. If the personal mobile the user has does not have a working camera a setup key can be inputted instead.
- Login as an admin to the Cloudwork Dashboard
- Navigate to Users and click intended user
- Under Security click Enable App
- Next to Camera not working? click here Click the show to reveal secret key.
- Open up the Authenticator App and enter the setup key
- Enter the code and MFA for Authenticator App will be activate
Turn off MFA via admin
This will turn off MFA via SMS and MFA via App.
- Login as an admin to the Cloudwork Dashboard
- Navigate to Users and click intended user
- Under Security click Turn Off
Notes
- To be done as an administrator
Forcing certain organisation units to use MFA
This setting change can force certain organisational units to use MFA while all other users do not needs to use MFA
How this works is that once the setting is enabled, any user who does not have MFA enabled, will not be allowed to access any service until MFA is turned on.
When users without MFA enabled try to access any service, they will be shown a screen similar to this
Clicking on Click here to enable Mutlifactor Authentication will take users to the CloudworkID Page where they can enabled MFA.
From here users can enable MFA via App with QR Code, App with Setup Key or, SMS
- Login as an admin to the Cloudwork Dashboard
- Click the side bar and click settings>Cloudwork.ID Settings
- On the left side of the screen there are all the org units, select the intended org unit
- Under feature Click Override Settings then click submit
- Under Users must enable MFA select yes
- Click submit
Notes
- To be done as administrator
- When clicking Override Settings, changes to the parent org unit will not affect the children org units.
Advice
- We strongly advise people travelling overseas to use an authenticator app to avoid any issues with SMS delivery.