User MFA
Admin switch on MFA
- Use the on/off switch to set enable/disable MFA for a user
- When MFA has been set by an admin this change will be pending (cf users list)
- When a user MFA is pending it means that the user needs to enroll to register his TOTP generator (Google Authenticator)
- Administrator can use the reset button to regenerate a TOTP secret and therefor invalidate current user generator
MFA On/Off and reset are triggered on click and not user save
User enrollment
On his first login after an administrator has set his account with MFA the user will be asked to enroll on a 4 steps form :
Step 0 : Welcome
Here the client is told that he is to enroll in MFA and use is mobile phone as a security piece of evidence.
Step 1 : Download app
Here the client is told to download Google Authenticator application, he is provided links to Android and IOS application stores.
Step 2 : Scan QR Code
Here the client is asked to use the Google Authenticator application to register his account either by scanning the QR code or manually entering the key.
Step 3 : Verify code
Here the client is told to check his first TOTP code to verify the enrollment process. If validation succeed he will be logged in with a valid MFA and token.
User login
Once a user is properly enrolled with MFA he will need is mobile device with Google Authenticator to log in. The login procedure is splitted in 2 steps with MFA :
- Classic login with email and password
- Enter valid TOTP code
1.
2.
Backend API changes
This article describes, how to enable and use multi factor authentication (MFA) from the backend point of view.
...