Two-factor authentication can be enabled for White Cup CRM, MITS BI, and TDF CRM web users. Two-Factor Authentication (2FA) asks you to verify your identity with an authentication code or app on your cell phone when you attempt to login to your account. This means a login requires your username, password, AND authentication from your phone to proceed – greatly increasing the security of your login.
Administrators can enable and manage two-factor authentication through the standard user management web interface.
When an administrator logs in, they will see the familiar grid of users, with the addition of one new link in the page header to “My Company”.
Click the My Company link to navigate to the preferences page for the company. (This link ONLY appears for admins.)
The “My Company” page allows you to do two things they could not do before:
- Edit the name of your company.
- Edit the “Two-factor Policy” for their company.
(Note that you can NOT edit the “Company ID.”)
Clicking the Two-factor Policy dropdown reveals the following choices:
Click the Help link to see some explanation:
The Two-factor Policy is set to “Unspecified” by default. The intent of “Unspecified” is for the behavior of the Identity Server, User Management UI, and products in general to behave as closely as possible to how they behaved before 2FA was introduced at all.
Indicates that 2FA is not required at a company level.
Indicates that 2FA is to be “encouraged” at the company level. This means that a user will be encouraged (pestered) to set up 2FA during the log-in process.
Indicates that 2FA is required. Users will be required to configure it at their next log-in.
An administrator can override the company policy on a per-user basis. Additional user interface will become available in the user management UI when the Two-factor Policy for the Company is set to any value other than “Unspecified”:
In the “Users” grid, note two new columns “2FA Policy” and “2FA Enabled”. The 2FA Policy column shows the two-factor policy for the individual user. Users who do not have a specific policy will inherit the company default and display as “Default” in this grid.
Once the user has completed the 2FA setup on their end, it will show a checked checkbox in the “2FA Enabled” column. Note that this column is not editable and is only an indication of the 2FA user configuration and its status. If the box is unchecked, that user has not yet configured their 2FA. (If the policy is set to “Encouraged” or “Required,” the user will be prompted to complete their 2FA configuration upon their next login.)
To change an individual user’s Two-factor Policy, click the pencil icon in the Users grid to edit the user. On the “Edit User” page, note the addition of a “Two-Factor Settings” section:
Clicking the “User Two-factor Policy” drop-down will reveal choices like those seen on the Edit Company page.
Click the “Help” link for explanation:
If the user has already set-up 2FA, there may be eventual need for the customer admin or White Cup admin to reset that user’s 2FA settings, either for troubleshooting purposes or because the user lost their device, etc. Click the “Reset user’s Two-factor status” to accomplish this. The user may be prompted to re-configure 2FA the next time they log-in.
Logging in with 2FA Enabled
When a user’s 2FA policy value is “Encouraged” or “Required”, and the user has not yet configured 2FA, the user will see one of the following screens at log-in:
When policy is “Encouraged”:
In this scenario, the user has the choice – configure two-factor now, and proceed to their destination after completing the setup, or skip 2FA for now. The next time they log-in they will be prompted again.
When policy is “Required”:
In this scenario, the user has no choice but to configure 2FA. Note that when 2FA is required, a user with a valid log-in session, but not configured for 2FA, will be automatically forced to the login page.
When policy is “Unspecified”:
The user will be logged in and not shown any 2FA prompts even if the user has previously configured 2FA, and even if the user’s individual policy was previously set to “override” the Company default.
When the policy is “Not Required”:
The user will be shown 2FA prompts only if the user’s 2FA policy overrides the company’s policy.
Users’ First Time Setup
The user clicks the Configure two-factor authentication link and is taken to a setup page:
Here the user is presented with a 32-digit code. They can enter this code manually into their Authenticator app, but the simpler method is to use the QR code. Within the authenticator app will be instructions on adding a new login, which usually entails aiming the device camera at the QR code.
The user will then enter a 6-digit verification code. Once verified for the first time, the user will be given a list of “recovery codes” and a link to continue to their destination:
How does 2FA work once configured?
The next time a user logs in, they will be presented with a prompt for a code:
The user then enters the code from the authenticator app. Note that the user has the option to “Remember this machine.” This sets a 14-day cookie on the device that will allow 2FA to be bypassed. If checked, this screen will be bypassed, and the user will be sent straight into the relevant application.
The user also has the option to log in with a recovery code. This is a code that was provided when 2FA was first set up and is meant to be used when the user has no access to the device.
Forgot Password/Password Reset
Users will now be able to reset their own password by clicking the Forgot Password link on the login page. An important note is that only users who have confirmed their email will be able to take advantage of this feature.
What products will have the option to use 2FA?
Any application for which users log in through the White Cup Identity Server, and not through the app itself, will use 2FA. These applications are:
- TDF CRM Web
- TDF CRM Web via the Outlook Add-in
- MITS BI
- White Cup CRM
Applications that don’t route the user to the Identity Server to log-in do not support 2FA. This includes:
- Sherpa CRM
- TDF CRM Desktop (login is done through secure Windows SID rather than traditional username and password)
- Mobile App
Will we be required to use 2FA?
No – your administrator can “opt-in” to use 2FA. If you have a reason or preference for not using 2FA, then your login process will not change.
Can a customer admin “force” a user to use 2FA?
Yes, your admin can require that 2FA be used to login, but the admin cannot “enable” 2FA for a user. It is up to individual end-users, on their individual devices, to actually configure 2FA.
What if a user wants to reset their password, but has never confirmed their email, and therefore can’t use the Forgot Password feature?
A customer admin can use the User Management UI to trigger a confirmation email to the user, who can then confirm their email, and then reset their own password.