About Two-Factor Authentication

Two-factor authentication requires you to enter two forms of identification before you can access your KeyControl webGUI account. The first form is your standard username/password combination, and the second is a one-time password (OTP) generated by a authorization app.

Beginning with version 5.2, two-factor authentication can now be enabled and enforced for all users by the security administrator. Once enforced, all users will be prompted to use two-factor authentication to log in to KeyControl. If it is not enforced, individual KeyControl-managed users can continue to enable two-factor authentication for themselves. If any users are actively using KeyControl when two-factor authentication is enforced, their sessions will be logged out. However, if they already have two-factor authentication enabled locally, there will be no changes.

KeyControl also now supports two-factor authentication (TFA) for all KeyControl-managed users. This includes KeyControl-managed user accounts that use local, RADIUS or LDAP authentication, and Active Directory users who access KeyControl using their AD login. AD users have the following restrictions:

AD users can only use two-factor authentication if it is enabled by the security administrator. They can not enable it themselves.
AD users must login using either the user@domain or domain\user format.
AD users cannot reset their own passwords. If an AD user forgets their password, they must contact their security administrator to reset.

KeyControl supports HMAC-based One Time Passwords (HOTP) and Time-based One-time Passwords (TOTP). HOTP uses an event-based algorithm, and passwords generated through this method are valid until the next event occurs. TOTP passwords are only available for a very short amount of time and are therefore more secure.