Two-factor authentication (2FA) provides an additional layer of security for authenticating users. The user is granted access only after successfully presenting two pieces of evidence (or factors): knowledge (something the user and only the user knows), and possession (something the user and only the user has).
Naverisk uses a password and/or a PIN code as the knowledge factor, and a Time-based One Time Password (TOTP), generated by the Google Authenticator (or compatible) application as the possession factor. A person without knowledge of the Password/PIN code and possession of the device running Google Authenticator is unable to log into Naverisk.
This document details the steps of setting up Google Two-Factor Authentication for users of Naverisk. This guide will also cover setting up Google Authenticator on an iPhone to generate authentication codes.
It is recommended that the Google Authenticator or compatible application is downloaded onto a smartphone to generate the authentication code needed when logging in. This can be found by simply searching for the Google Authenticator app on the Apple App Store (iPhone) or Google’s Play Store (Android).
2.0 Configuring Google Two-Factor Authentication
2.1 Changing User Password Type in Naverisk
Note that 2FA can only be configured by the individual user for themselves. It is not possible to set up 2FA on behalf of another user, as the 2FA key is not visible for user accounts other than your own.
- Log in to Naverisk, click on Home, then click My Profile and go to Settings
2. Under the Authentication section, click the drop-down arrow for Authentication Type.
2.1.1 Google 2FA with PIN
1. Select Google 2FA.
2. Take note of your Google 2FA Key, as you will need this shortly. Enter a PIN number that you will remember. PIN Numbers can only contain numbers, and be up to 6 digits long.
Note: while the PIN number is not mandatory, it is strongly recommended to configure a PIN number. Failure to configure a PIN will reduce authentication back to single-factor (can log in with possession of the device with the Google Authenticator app).
3. If you wish to scan a QR code, click on Show QR Code.
4. It will then show you a QR code to scan to your phone.
5. Then click Save.
2.1.1 Google 2FA with Password
1. Select Google 2FA + Password.
2. Take note of your Google 2FA Key, as you will need this shortly. You may optionally also enter a PIN number that you will remember. PIN Numbers can only contain numbers, and be up to 6 digits long.
3. Your original Naverisk password will remain the same when used with 2FA. You can enter a new password if you wish to change it.
4. If you wish to scan a QR code, click on Show QR Code.
5. It will then show you a QR code to scan to your phone.
6. Then click Save.
2.2 Setting up your Smart Phone
- On your phone, open your Authentication app.
2. In the Authenticator app, tap the + icon.
3. You can then either choose to scan a QR code or enter manually. In this case, we will enter the code manually.
4. Enter an identifiable name under Account (e.g. Naverisk), then under Key enter the Google 2FA key you noted down above. Then tap the Tick button.
5. If successful, you should then see your Naverisk Authentication code.
Go back to the Naverisk login portal, when you type in your Username you should now see Google 2FA Code next to the password field.
Using your phone, type in the Google Authentication code displayed on the app, followed by your pin number you entered previously (CODEpin). You should now be logged in.
It is important to make sure that your phone is using the correct time, otherwise your Authentication Code will not work – even if the time is slightly out.
If you are running an Onsite instance of Naverisk, please also check that your Site Controller’s time is also correct.
If you are using Naverisk in the Cloud, please contact email@example.com so we can investigate.
If the initial setup of the Authenticator app is not accepting your 2FA key, please ensure you are entering the exact key. It may also be related to time sync problems
- Go to the main menu on the Google Authenticator app
- Click Settings
- Click Time correction for codes
- Click Sync now
On the next screen, the app will confirm that the time has been synced, and you should now be able to use your verification codes to sign in. The sync will only affect the internal time of your Google Authenticator app, and will not change your Device’s Date & Time settings.