Difference between revisions of "Multifactor Authentication"

From Studentnet Wiki
Jump to navigation Jump to search
 
(9 intermediate revisions by the same user not shown)
Line 5: Line 5:
 
For school's wishing to use Multifactor Authentication and are not getting a prompt for a code, lodge a ticket at [https://support.studentnet.net support website] requesting for Multifactor to be enabled.
 
For school's wishing to use Multifactor Authentication and are not getting a prompt for a code, lodge a ticket at [https://support.studentnet.net support website] requesting for Multifactor to be enabled.
  
==Activating MFA==
+
==MFA setup for individual users to do==
# Login to dashboard
 
# Navigate to '''Users'''
 
# Either select a user or create a new user
 
# Navigate to '''Recovery Details''' and click '''Edit'''
 
# Add a valid phone number into '''Recovery Phone''' field
 
# Click '''submit'''
 
# Navigate to '''Security''' and click '''Turn On'''
 
# Click '''yes,enable Multifactor'''
 
  
===Notes===
+
{| class="wikitable"
* To be done as an administrator
+
|+ MFA Setup
 +
|-
 +
! MFA Type !! Description !! Wiki Documentation
 +
|-
 +
| '''Setting up MFA via CloudworkID Authenticator'''|| Instructions for setting up MFA via CloudworkID Authenticator|| [https://wiki.studentnet.net/index.php/Setup_MFA_with_CloudworkID_Authenticator Link to Documentation]
 +
|-
 +
| '''Setting up MFA via Generic Authenticator App with QR Code'''|| Instructions for setting up MFA via Generic Authenticator app using QR code|| [https://wiki.studentnet.net/index.php/Set_MFA_with_an_Authenticator_App_with_QR_code Link to Documentation]
 +
|-
 +
| '''Setting up MFA via an Authenticator App with setup key'''|| Instructions for setting up MFA via Generic Authenticator app using setup key|| [https://wiki.studentnet.net/index.php/Set_MFA_with_an_Authenticator_App_with_setup_key Link to Documentation]
 +
|-
 +
| '''Setting up MFA via 1Password'''|| Instructions for setting up MFA via 1Password|| [https://wiki.studentnet.net/index.php/Set_MFA_with_1Password_Link Link to Documentation]
 +
|-
 +
| '''Setting up MFA via SMS'''||Instructions for setting up MFA via SMS|| [https://wiki.studentnet.net/index.php/Set_MFA_with_SMS Link to Documentation]
 +
|}
  
==Set MFA with CloudworkID Authenticator==
+
==Admins setting up MFA for a user==
#Download the CloudworkID Authenticator: https://play.google.com/store/apps/details?id=com.coherentcloud.cwauthapp&hl=en&gl=AU
 
# Go to your school's Cloudwork.ID (looks like https://<schoolname>-id.cloudworkengine.net)
 
# Navigate to the top right of the site where your name is
 
# Click '''Settings'''
 
# In '''Mulftifactor Authentication''' click '''Add CloudworkID MFA App'''
 
# Using '''CloudworkID Authenticator''' click on the topright, the plus sign
 
# Point the camera to the QR code so the red lines line up with the QR code on your school's Cloudwork.ID
 
# Click Ok
 
  
==Set MFA with an Authenticator App with QR code==
+
{| class="wikitable"
 +
|+ MFA Setup done as admin for a user
 +
|-
 +
! MFA Type !! Description !! Wiki Documentation
 +
|-
 +
| '''Setting up MFA via CloudworkID Authenticator'''|| Instructions for setting up MFA via CloudworkID Authenticator|| [https://wiki.studentnet.net/index.php/Enable_MFA_for_CloudworkID_Authenticator_via_admin Link to Documentation]
 +
|-
 +
| '''Setting up MFA via Generic Authenticator App with QR Code'''|| Instructions for setting up MFA via Generic Authenticator app using QR code || [https://wiki.studentnet.net/index.php/Enable_MFA_for_Authenticator_App_via_admin_by_scanning_QR_code Link to Documentation]
 +
|-
 +
| '''Setting up MFA with an Authenticator App with setup key'''|| Instructions for setting up MFA via Generic Authenticator app using setup key || [https://wiki.studentnet.net/index.php/Enable_MFA_for_Authenticator_App_via_admin_by_entering_setup_key Link to Documentation]
 +
|-
 +
| '''MFA with SMS'''|| Instructions for setting up MFA via SMS || [https://wiki.studentnet.net/index.php/Enable_MFA_for_SMS_via_admin Link to Documentation]
 +
|}
  
By using an Authenticator App instead on SMS will allow users to log in if there is no reception for their phone to retrieve code via SMS
+
==MFA Settings in the Cloudwork Dashboard for Admins==
  
# Go to your school's Cloudwork.ID (looks like https://<schoolname>-id.cloudworkengine.net)
+
{| class="wikitable"
# Navigate to the top right of the site where your name is
+
|+ MFA Micro Management
# Click '''Settings'''
+
|-
# In '''Mulftifactor Authentication''' click '''Add Authenticator App'''
+
! MFA Type !! Description !! Wiki Documentation
# Using '''Google Authenticator''' click on the bottom right, the plus sign
+
|-
# Click Scan a QR code
+
| '''MFA Whitelist'''|| IP Addresses listed will not require MFA when signing in|| [https://wiki.studentnet.net/index.php/MFA_Whitelist Link to Documentation]
# Point the camera to the QR code so the red lines line up with the QR code on your school's Cloudwork.ID
+
|-
# Input code that is shown on '''Google Authenticator''', to your school's Cloudwork.ID
+
| '''Enforce MFA for certain OU'''|| Force specific OUs to have MFA enabled to be able to continue using services|| [https://wiki.studentnet.net/index.php/Enforcing_MFA_for_a_specific_OU Link to Documentation]
 +
|-
 +
| '''Enabling Trusted Device'''|| Allow users to remember an device so users are not prompted for MFA|| [https://wiki.studentnet.net/index.php/Trusted_Device Link to Documentation]
 +
|-
 +
| '''Letting users manage MFA'''|| Allow users to manage what MFA option a user can use as well remove MFA options they no longer need|| [https://wiki.studentnet.net/index.php/Letting_users_manage_their_own_MFA Link to Documentation]
 +
|-
 +
| '''Enforcing MFA for a SSO Service'''|| Before users can access an SSO Service, MFA must be enabled|| [https://wiki.studentnet.net/index.php/Enforcing_MFA_for_a_SSO_Service Link to Documentation]
 +
|}
  
===Notes===
+
==Miscellaneous MFA Information==  
* To be done as an individual user
 
* Users do not need to use '''Google Authenticator App''', there are other apps such as Microsoft Authenticator and Authy 2-Factor Authentication
 
  
==Set MFA with an Authenticator App with setup key==
+
{| class="wikitable"
 +
|+ Miscellaneous MFA Information
 +
|-
 +
! Information !! Description !! Wiki Documentation
 +
|-
 +
| '''Creating a Custom CloudworkID Authenticator App'''|| Instructions on how to lodge a ticket for creating a custom CloudworkID Authenticator App|| [https://wiki.studentnet.net/index.php/Creating_a_custom_CloudworkID_Authenticator_App Link to Documentation]
 +
|}
  
By using an Authenticator App instead on SMS will allow users to log in if there is no reception for their phone to retrieve code via SMS
 
  
# Go to your school's Cloudwork.ID (looks like https://<schoolname>-id.cloudworkengine.net)
 
# Navigate to the top right of the site where your name is
 
# Click '''Settings'''
 
# In '''Mulftifactor Authentication''' click '''Add Authenticator App'''
 
# Next to '''Camera not working? click here''' and click '''show'''. This will reveal setup key.
 
# Using '''Google Authenticator''' click on the bottom right, the plus sign
 
# Click '''Enter a setup key'''
 
# Enter the setup key into '''Google Authenticator'''
 
# Input code that is shown on '''Google Authenticator''', to your school's Cloudwork.ID
 
 
===Notes===
 
* To be done as an individual user
 
* Users do not need to use '''Google Authenticator App''', there are other apps such as Microsoft Authenticator and Authy 2-Factor Authentication
 
 
==Set MFA with 1Password==
 
 
These instructions are specifically for setting up MFA with the password manager 1Password
 
 
# Go to your school's Cloudwork.ID (looks like https://<schoolname>-id.cloudworkengine.net)
 
# Navigate to the top right of the site where your name is
 
# Click '''Settings'''
 
# In '''Mulftifactor Authentication''' click '''Add Authenticator App'''
 
# Using '''1Password''' click on the '''click here if you cant scan the QR code''' link and copy code that is revealed
 
# Input code from '''1Password''', to your school's Cloudwork.ID
 
 
===Notes===
 
* To be done as an individual user
 
 
==Set MFA with SMS==
 
 
Setting MFA using SMS, will have a one-time code be sent to the user's phone which will allow the user access through MFA
 
 
# Go to your school's Cloudwork.ID (looks like https://<schoolname>-id.cloudworkengine.net)
 
# Navigate to the top right of the site where your name is
 
# Click '''Settings'''
 
# In '''Mulftifactor Authentication''' click '''Add a phone'''
 
# Input your phone number
 
# Wait for an SMS to come through from Cloudwork
 
# On the SMS is a code, input the code onto the Cloudwork.ID page
 
===Notes===
 
* To be done as an individual user
 
 
==Enabling MFA Whitelist==
 
 
Using MFA Whitelist for your school's Ip address range will allow users logging in, inside the school to not have to go through MFA. But logging in outside school will have the user go through MFA
 
 
# Login into your school's dashboard
 
# Click the '''menu bar'''>'''settings'''>'''CloudworkID Settings''' </br> [[File:Menu.png|300px]]
 
# Navigate to '''Features''' and click '''Edit'''
 
# Navigate to '''Multifactor Authentication Whitelist'''
 
# Enter into the field your school's Ip address or Ip address range
 
===Notes===
 
* To be done as an administrator
 
 
==MFA for SSO==
 
 
SSO Services can be set to only allow users to log in if they have MFA enabled.
 
 
# Login to your school's dashboard
 
# Navigate to SSO > "Service of choice" > SAML Config Settings > Edit
 
# Select the option you want from the Multifactor Authentication dropdown box 
 
[[File:multifactorsso.png|500px]]
 
 
==Trusted device==
 
As a feature of Multifactor, Users have the option when logging in to select '''I trust this device, don't ask again'''. This means for the next 30 days the user will not have to use a code for MFA.
 
 
==Disabling Trust Device==
 
This feature can disable any user from having the option to trust a device.
 
 
# Login into your school's dashboard
 
# Click the '''menu bar'''>'''settings'''>'''CloudworkID Settings''' </br> [[File:Menu.png|300px]]
 
# Navigate to '''Features''' and click '''Edit'''
 
# Navigate to '''Enable Trusted Devices'''
 
# Select the option '''Do not let users trust device'''
 
 
==Enabling users to Manage MFA==
 
This features allows users manage their own MFA setting such as adding their own phone number or app for MFA.
 
 
# Login into your school's dashboard
 
# Click the menu bar>settings>CloudworkID Settings </br> [[File:Menu.png|300px]]
 
# Navigate to '''Features''' and click '''Edit'''
 
# Under '''Multifactor Authentication''', select from the drop down '''Users can manage multifactor authentication'''
 
 
==Allow users to disable MFA==
 
This feature allows users to Turn MFA off for themselves.
 
 
# Login into your school's dashboard
 
# Click the menu bar>settings>CloudworkID Settings </br> [[File:Menu.png|300px]]
 
# Navigate to '''Features''' and click '''Edit'''
 
# Under '''Disable Multifactor''', select from the drop down '''Users can disable multifactor authentication'''
 
 
==MFA without storing a mobile phone number==
 
 
# login to the CloudworkID service
 
# Select '''Update Recovery Settings'''
 
# Supply a valid mobile phone number and click '''Submit'''
 
# Enter the verification code and click '''Submit'''
 
# Click '''Turn on''' underneath MFA
 
# Enter the verification code and click '''Submit'''
 
# Click '''Add Authenticator App'''
 
# On your phone, scan the QR code. Then enter the verification code and click '''Submit'''
 
# Click the trash icon next to '''Text Message to .....'''
 
# Click '''Delete''' to confirm
 
# Click '''Update recovery settings'''
 
# Clear the form field for '''Recovery Phone''' and click submit
 
 
The user now has MFA operating, without having their personal mobile tied to their account.
 
 
==Enable MFA for users as an admin==
 
 
===Enable MFA for SMS via admin===
 
# Login as an admin to the Cloudwork Dashboard
 
# Navigate to Users and click intended user
 
# Under Security click '''Enable SMS'''
 
# If a recovery phone number is not set, one will need to be entered
 
# If a recovery phone number is already entered MFA for SMS will be activated
 
 
===Enable MFA for Authenticator App via admin by scanning QR code===
 
By enabling MFA for Authenticator App via admin, users can have MFA operating, without having their personal mobile tied to their account.
 
 
# Login as an admin to the Cloudwork Dashboard
 
# Navigate to Users and click intended user
 
# Under Security click '''Enable App'''
 
# Open up the Authenticator App and scan the QR code
 
# Enter the code and MFA for Authenticator App will be activated
 
 
===Enable MFA for Authenticator App via admin by entering setup key===
 
By enabling MFA for Authenticator App via admin, users can have MFA operating, without having their personal mobile tied to their account.
 
If the personal mobile the user has does not have a working camera a setup key can be inputted instead.
 
 
# Login as an admin to the Cloudwork Dashboard
 
# Navigate to Users and click intended user
 
# Under Security click '''Enable App'''
 
# Next to '''Camera not working? click here''' Click the '''show''' to reveal secret key.
 
# Open up the Authenticator App and enter the setup key
 
# Enter the code and MFA for Authenticator App will be activate
 
 
===Turn off MFA via admin===
 
This will turn off MFA via SMS and MFA via App.
 
 
# Login as an admin to the Cloudwork Dashboard
 
# Navigate to Users and click intended user
 
# Under Security click '''Turn Off'''
 
 
===Notes===
 
* To be done as an administrator
 
 
===Forcing certain organisation units to use MFA===
 
This setting change can force certain organisational units to use MFA while all other users do not needs to use MFA<br>
 
How this works is that once the setting is enabled, any user who does not have MFA enabled, will not be allowed to access any service until MFA is turned on.<br>
 
When users without MFA enabled try to access any service, they will be shown a screen similar to this<br>[[File:Enforced_MFA.PNG]]<br>
 
Clicking on '''Click here to enable Mutlifactor Authentication''' will take users to the CloudworkID Page where they can enabled MFA.<br>
 
From here users can enable MFA via [https://wiki.studentnet.net/index.php/Multifactor_Authentication#Set_MFA_with_an_Authenticator_App_with_QR_code App with QR Code], [https://wiki.studentnet.net/index.php/Multifactor_Authentication#Set_MFA_with_an_Authenticator_App_with_setup_key App with Setup Key] or, [https://wiki.studentnet.net/index.php/Multifactor_Authentication#Set_MFA_with_an_Authenticator_App_with_QR_code SMS]
 
 
# Login as an admin to the Cloudwork Dashboard
 
# Click the side bar and click settings>'''Cloudwork.ID Settings'''
 
# On the left side of the screen there are all the org units, select the intended org unit
 
# Under feature Click '''Override Settings''' then click submit
 
# Under '''Users must enable MFA''' select '''yes'''
 
# Click submit
 
 
===Notes===
 
*To be done as administrator
 
*When clicking '''Override Settings''', changes to the parent org unit will not affect the children org units.
 
 
==Advice==
 
*We strongly advise people travelling overseas to use an authenticator app to avoid any issues with SMS delivery.
 
 
[[Category:Cloudwork Dashboard]]
 
[[Category:Cloudwork Dashboard]]

Latest revision as of 05:26, 9 August 2023

Multifactor Authentication (MFA)

The purpose of using MFA is it adds another method of verification, increasing security. Users will need to input a code well as their username and password when trying to login to a service.

For school's wishing to use Multifactor Authentication and are not getting a prompt for a code, lodge a ticket at support website requesting for Multifactor to be enabled.

MFA setup for individual users to do

MFA Setup
MFA Type Description Wiki Documentation
Setting up MFA via CloudworkID Authenticator Instructions for setting up MFA via CloudworkID Authenticator Link to Documentation
Setting up MFA via Generic Authenticator App with QR Code Instructions for setting up MFA via Generic Authenticator app using QR code Link to Documentation
Setting up MFA via an Authenticator App with setup key Instructions for setting up MFA via Generic Authenticator app using setup key Link to Documentation
Setting up MFA via 1Password Instructions for setting up MFA via 1Password Link to Documentation
Setting up MFA via SMS Instructions for setting up MFA via SMS Link to Documentation

Admins setting up MFA for a user

MFA Setup done as admin for a user
MFA Type Description Wiki Documentation
Setting up MFA via CloudworkID Authenticator Instructions for setting up MFA via CloudworkID Authenticator Link to Documentation
Setting up MFA via Generic Authenticator App with QR Code Instructions for setting up MFA via Generic Authenticator app using QR code Link to Documentation
Setting up MFA with an Authenticator App with setup key Instructions for setting up MFA via Generic Authenticator app using setup key Link to Documentation
MFA with SMS Instructions for setting up MFA via SMS Link to Documentation

MFA Settings in the Cloudwork Dashboard for Admins

MFA Micro Management
MFA Type Description Wiki Documentation
MFA Whitelist IP Addresses listed will not require MFA when signing in Link to Documentation
Enforce MFA for certain OU Force specific OUs to have MFA enabled to be able to continue using services Link to Documentation
Enabling Trusted Device Allow users to remember an device so users are not prompted for MFA Link to Documentation
Letting users manage MFA Allow users to manage what MFA option a user can use as well remove MFA options they no longer need Link to Documentation
Enforcing MFA for a SSO Service Before users can access an SSO Service, MFA must be enabled Link to Documentation

Miscellaneous MFA Information

Miscellaneous MFA Information
Information Description Wiki Documentation
Creating a Custom CloudworkID Authenticator App Instructions on how to lodge a ticket for creating a custom CloudworkID Authenticator App Link to Documentation