Multifactor Authentication

overview two factor authentication (also known as multifactor authentication or mfa) is a strongly recommended option that provides a significant, additional layer of security to user logins when two factor authentication is enabled, login requires authorization via the user's email address or a totp authenticator program in addition to the username and password 2fa authentication using totp the user utilizes a totp authenticator application, commonly installed on their mobile device, such as google authenticator or microsoft authenticator the user will configure korgrid as an account within their authentication application; this can be done easily by scanning the provided qr code from within the platforms user interface subsequently, the authenticator application will continuously generate a new code to be used for the user to input for login each code generated by the totp application is typically only valid for 30 seconds or less 2fa authentication using email the first time a user initiates login from a new device, a security code is emailed to the user's email address this code must be entered to complete the login process optionally, the user can select to store the security code on the local device, for automatic retrieval on subsequent login actions from the same local device (this function is intended for personal devices, such as a user's home computer, personal laptop, cellphone, etc ) totp provides a much higher degree of security as it does not rely on an email account, which can be compromised totp is generated on a separate device, like a cell phone, making it harder for attackers to intercept totp based mfa can work without an internet connection once the setup is complete, whereas email requires internet access to receive verification codes email based (rather than totp based) mfa should typically only be considered for low access, non critical accounts configure two factor authentication from the top menu , click system > settings from the left menu, click advanced settings in the setting search field, type the options below to modify their default values two factor authentication default disabled new users are created with two factor authentication disabled; optionally it can be enabled per user default enabled new users are created with two factor authentication option enabled; option can be disabled per user required all users automatically set to use two factor authentication; option cannot be disabled or overridden for any user two factor authentication expiration time for temporary codes (seconds) this setting determines the length of time a security code is valid for example, using the default setting of 300 seconds, the code must be entered within 5 minutes (300 seconds) from the time it was issued two factor authentication expiration time for authenticated user devices (0 for never expire) the default setting is 7884000 seconds (roughly 91 days) this setting determines the amount of time a security code is stored on a user's local device for example on a system in which the setting is changed to 864000; a user logs into a laptop, uses the security code received via email and selects the option labeled "this is a private computer"; the security code is stored and automatically applied for the user on this device for 864000 seconds (10 days) so the user will not need to retrieve the security code from email and enter it in again during any login attempts for the next 10 days if the system setting is set to 0, there is no expiration on locally stored security codes enable two factor authentication for a user if the system setting two factor authentication is set to required , all users will automatically have two factor authentication enabled and the option to enable/disable it will not appear in the user edit form from the top menu , click system > users select a user, then from the left menu, click edit select the checkbox option for two factor authentication the email address field will become required when two factor authentication is enabled verify that a valid email address is entered fo the user security codes necessary to successfully login to the ui will be send to the email address specified click submit