About Two-Factor Authentication
Two-factor authentication requires you to enter two forms of identification before you can access your KeyControl webGUI account. The first form is your standard username/password combination, and the second is a one-time password (OTP) generated by a authorization app.
Beginning with version 5.2, two-factor authentication can now be enabled and enforced for all users by the security administrator. Once enforced, all users will be prompted to use two-factor authentication to log in to KeyControl. If it is not enforced, individual KeyControl-managed users can continue to enable two-factor authentication for themselves. If any users are actively using KeyControl when two-factor authentication is enforced, their sessions will be logged out. However, if they already have two-factor authentication enabled locally, there will be no changes.
KeyControl also now supports two-factor authentication (TFA) for all KeyControl-managed users. This includes KeyControl-managed user accounts that use local, RADIUS or LDAP authentication, and Active Directory users who access KeyControl using their AD login. AD users have the following restrictions:
- AD users can only use two-factor authentication if it is enabled by the security administrator. They can not enable it themselves.
- AD users must login using either the user@domain or domain\user format.
- AD users cannot reset their own passwords. If an AD user forgets their password, they must contact their security administrator to reset.
KeyControl supports HMAC-based One Time Passwords (HOTP) and Time-based One-time Passwords (TOTP). HOTP uses an event-based algorithm, and passwords generated through this method are valid until the next event occurs. TOTP passwords are only available for a very short amount of time and are therefore more secure.
Important: We have seen instances where, if a QR code is used, the Microsoft Authenticator replaced the entries for the same username from different KeyControl clusters . If you are planning to use Microsoft Authenticator for same usernames in different KeyControl clusters, please manually type in the account name and secret key for the second and subsequent accounts rather than scanning the QR code, and make sure that each account name is different.