Skip to content Skip to main navigation Skip to footer

Two-factor authentication

In the version 5.32 beta2 it has been implemented a function, which enables and enforces verification by the second factor before a correct user login to the system IPS Admin.

The verification can be done using a mobile app Google Authenticator which is free available in Google Play or Appstore.

We support any verification aplliccation which offers one-time code with a limited validity. For example Twilio Authy, Google Authenticator or Microsoft Authenticator.

Get it on Google Play Download on the App Store
Authentication with Google Authenticator
Authentication with Google Authenticator

What is the two-factor authentication?

That’s the use of two factors for succesful authentication in the proces of logging the user into the system.

  • something, the user knows (name and password)
  • something the user owns ( a mobile phone with an application)

Two-factor authentication increases a security level of user accounts, because apart from knowing a name and an user password, it also requires confirmation with a verification code (TOTP) from the mobile application (authenticator)

Even if the attacker knows the username and password, he will not be able to access the account without a second authentication factor from the mobile application (authenticator).

When the user tries to log into the systém ISPadmin, it’s possible (for selected user accounts) to switch on a requiring an addiitional possibilites for an authentisation (2FA).

After the entering the correct user name and password, it’s necessary to enter a unique code from the mobile application in a phone.

The settings

WARNING
In case of resetting the 2FA settings or after the changing the user’s password, it is necessary to add a new account/profile using a QR code, in the authenticator. After changing the password or resetting the settings, the old account/profile is no longer valid and it isn’t possible to log in with the code from the original account.

This is an optional function, which is switched off by default.

The exception is a servis account with a user name netservice, where is turned on an automatical two-factor authentisation after some update. It’s for security reasons of a remote installations.

The two-factor authentication it’s possible to turn on for a specific user account, in the user setting accounts (Settings –> Administrators –> Administrators) in a column 2FA by clicking on the cross (indacates that it’s off) and then on to the option Enable 2FA (see the picture).

Enable two-factor authentication for a specific user account
Enable two-factor authentication for a specific user account

Two-factor authentication is possible to turn off at the user accounts or reset the account settings (display QR code to add a new account to the authenticator).

Reset or disable 2FA
Reset or disable 2FA

The option to reset the settings is also possible in the user setting of the specific user account.

User settings
User settings

In the section Setting up two-phase verification via TOTP, click the Edit ().

Two-factor authentication settings
Two-factor authentication settings

After entering the corresponding password to the account, it is possible to display the current settings (QR code) or generate a new settings (a new account settings for the authenticator – it’s necessary to add a new account in the authenticator) by option – Generate a new secret.

Option to view existing settings or generate new ones
Option to view existing settings or generate new ones

The verification proces

WARNING
In case of several unsuccessful login attempts (username / password / OTP) from one IP address over a certain period of time, the possibility to log in to the system from this IP address will be blocked for a certain period of time (prevention of brute force attack).

Before the first authentisation it’s necessary to add an account to the apllication (authenticator).

The account it’s possible to add by scanning of displayed QR code before the first login of a user where the 2FA was turned on or after the resetting of user’s setting account.

First login and showed QR code for add account in authenticator
First login and showed QR code for add account in authenticator

In the authenticator, specifically in the Google Authenticator application, it’s possible to add an account by using a bottom… and selecting the option Scan QR code.

After the first account addition, the account will be available in the application for the next login.

After some time periods (30 seconds), the code is changed for a specific account in the application. During its validity, the displayed code it’s necessary to enter or copy into the appropriate fields in the ISPA system, which will appear after entering of valid login information (name and password) into the ISPadmin system.

Field for enter/insert the code from the authenticator (after enter the correct login data)
Field for enter/insert the code from the authenticator (after enter the correct login data)