Two-factor authentication (2FA) provides an additional layer of security for authenticating users. The user is granted access only after successfully presenting two pieces of evidence (or factors): knowledge (something the user and only the user knows), and possession (something the user and only the user has).
Naverisk uses a PIN code as the knowledge factor, and a Time-based One Time Password (TOTP), generated by the Google Authenticator (or compatible) application as the possession factor. A person without knowledge of the PIN code and possession of the device running Google Authenticator is unable to log into Naverisk.
This document details the steps of setting up Google Two-Factor Authentication for users of Naverisk. This guide will also cover setting up Google Authenticator on an iPhone to generate authentication codes.
It is recommended that the Google Authenticator or compatible application is downloaded onto a smartphone to generate the authentication code needed when logging in. This can be found by simply searching for the Google Authenticator app on the Apple App Store (iPhone) or Google’s Play Store (Android).
2.0 Configuring Google Two-Factor Authentication
2.1 Changing User Password Type in Naverisk
- Log in to Naverisk as either yourself, or a user that has permission to change passwords (if you are doing this for someone else).
- When logged into Naverisk, click on Settings.
- Navigate to Users and Groups, located at the bottom of the page.
4. Locate the User you wish to edit.
5. Inside the Edit User box, click on Settings.
6. Under the Authentication section, click the drop-down arrow for Authentication Type.
7. Select Google 2FA.
8. Take note of your Google 2FA Key, as you will need this shortly. Enter a PIN number that you will remember. PIN Numbers can only contain numbers, and be up to 6 digits long.
Note: while the PIN number is not mandatory, it is strongly recommended to configure a PIN number. Failure to configure a PIN will reduce authentication back to single-factor (can log in with possession of the device with the Google Authenticator app).
9. If you wish to scan a QR code, click on Show QR Code.
10. It will then show you a QR code to scan to your phone.
11. Then click Save.
2.2 Setting up your Smart Phone
- On your phone, open your Authentication app.
2. In the Authenticator app, tap the + icon.
3. You can then either choose to scan a QR code or enter manually. In this case, we will enter the code manually.
4. Enter an identifiable name under Account (e.g. Naverisk), then under Key enter the Google 2FA key you noted down above. Then tap the Tick button.
5. If successful, you should then see your Naverisk Authentication code.
Go back to the Naverisk login portal, when you type in your Username you should now see Google 2FA Code next to the password field.
Using your phone, type in the Google Authentication code displayed on the app, followed by your pin number you entered previously (CODEpin). You should now be logged in.
It is important to make sure that your phone is using the correct time, otherwise your Authentication Code will not work – even if the time is slightly out.
If you are running an Onsite instance of Naverisk, please also check that your Site Controller’s time is also correct.
If you are using Naverisk in the Cloud, please contact firstname.lastname@example.org so we can investigate.
If the initial setup of the Authenticator app is not accepting your 2FA key, please ensure you are entering the exact key. It may also be related to time sync problems
- Go to the main menu on the Google Authenticator app
- Click Settings
- Click Time correction for codes
- Click Sync now
On the next screen, the app will confirm that the time has been synced, and you should now be able to use your verification codes to sign in. The sync will only affect the internal time of your Google Authenticator app, and will not change your Device’s Date & Time settings.