Enabling Two-Factor Authentication

Two-factor authentication requires you to enter two forms of identification before you can access your KeyControl webGUI account. The first form is your standard username/password combination, and the second is a one-time password (OTP) generated by a authorization app.

KeyControl supports HMAC-based One Time Passwords (HOTP) and Time-based One-time Passwords (TOTP). HOTP uses an event-based algorithm, and passwords generated through this method are valid until the next event occurs. TOTP passwords are only available for a very short amount of time and are therefore more secure.

Note:

Two-Factor Authentication is only available for locally-authenticated KeyControl-managed user accounts. It is not available for LDAP, AD, or RADIUS accounts.

Before You Begin 

Make sure you have access to an authentication app that can generate HOTP or TOTP passwords. For example:

• For TOTP authentication, you can use the free app Authy on both iOS and Android. Authy continually creates passwords that are valid for 30 seconds. If the current password will expire before you can submit the login request, you need to wait for Authy to generate a new password and then you can use that to log in.
• For HOTP authentication on iOS, you can use the free app OTP Auth. A password generated through OTP Auth is valid from the time you create it until you use it to log in. To log in a second time you must click the Next button in the app to generate a new password.

Procedure

1. Log into the KeyControl webGUI on any node in the cluster with your standard account credentials.
2. In the top menu bar, click Settings.
3. In the Two-Factor Authentication field, click Set up Two-Factor Authentication.

4. In the Enable Two-Factor dialog box:

   1. Select the HOTP or TOTP radio button.
   2. Scan the generated bar code with your authorization app.
   3. Enter the six-digit verification code from your app in the dialog box.
   4. Click Continue. KeyControl verifies that the code is correct and displays a message indicating success or failure. If the code is not correct, re-enter it.
   5. After the code has been accepted, click Done.
5. The next time you log into the KeyControl webGUI, you will need to append a valid OTP to your standard account password on the KeyControl webGUI Login Page. Do not add any characters or spaces between your account password and the one-time password generated by your authorization app. In addition, if you are using TOTP, make sure the password will not expire before you submit the login request.