<< Click to display Table of Contents >> Navigation: Components > Authentication Server > Configuration > 2FA authentication (self-hosted) |
In this chapter you will learn how to use the two-factor authentication in bestzero®.
Variants of the 2FA setup
There are several variants of how you can use two-factor authentication.
Provider registration with two-factor authentication
With this configuration, users must specify a two-factor authentication token when they want to register with a provider.
When registering with a new provider for the first time, the user receives a token by email or SMS, for example, which is valid for 5 minutes by default. A QR code is then displayed, which can be scanned or read with any common OTP application. With a token from this application, the registration process can be completed.
Setting up two-factor authentication for provider registration
Open the configuration file "best_local.ini" on directory level. (Default directory: "C:\Program Files\Cordaware\best_srv\etc\best_local.ini.")
Add the following entry to the "[best_ext]" section:
(If an entry with the key "register_need_2FA" already exists, just change the value to "true").
Save the configuration file and restart the server service "Cordaware_bestinformed_best_srv" to apply the changes.
|
Provider connection with two-factor authentication
With this configuration, the user is prompted to enter a two-factor authentication token upon connecting to a provider.
The token is generated by the respective OTP application that was used during the provider registration process.
Setting up two-factor authentication for the provider connection
Open the "best_local.ini" configuration file at the directory level. (Default directory: "C:\Program Files\Cordaware\best_srv\etc\best_local.ini").
Add the following entry to the "[best_ext]" section:
(If an entry with the key "client_need_2FA" already exists, just change the value to "true").
Save the configuration file and restart the server service "Cordaware_bestinformed_best_srv" to apply the changes.
|
Custom apps with two-factor authentication
Further information regarding this topic can be found here: Hive Configurator > Configuration > 2FA Authentication |
Request of the two-factor authentication token
If a two-factor authentication token is requested, the following input mask appears:
Under "2FA Token" you can enter the generated token of your OTP application and with the help of the "Confirm" button you can send it.
The yellow progress bar below the buttons is the remaining time indicator, how long is still waiting for the input of the two-factor authentication token.
Waiting time when entering an incorrect token
Once this has expired, the authentication action must be re-executed and thus the two-factor authentication must be requested again.
If an incorrect token is entered and confirmed, then the token entry field is disabled for a certain wait time.
This waiting time increases depending on how often a token is entered incorrectly in succession.
1 incorrect entry |
1 second waiting time. |
2 incorrect entries |
2 seconds waiting time.. |
3 incorrect entries |
4 seconds waiting time. |
4 incorrect entries |
8 seconds waiting time. |
5 incorrect entries |
16 seconds waiting time. |
6 or more incorrect entries |
32 seconds waiting time. |
Configuring the lifetime of the two-factor authentication token.
Open the "best_local.ini" configuration file at the directory level. (Default directory: "C:\Program Files\Cordaware\best_srv\etc\best_local.ini").
Here you can define the time in minutes how long will be waited for entering a two-factor authentication token.
To do this, add the following entry to the "[best_ext]" section:
|
client_2FA_wait_timeout = 5 (Default value) |
(If an entry with the key "client_2FA_wait_timeout" already exists, just change the value to the desired number of minutes).
Save the configuration file and restart the server service "Cordaware_bestinformed_best_srv" to apply the changes.
Configuration of the waiting time when entering a wrong token
In the configuration file "best_local.ini" you can define if the system should wait for a certain time when a wrong token is entered before the token entry field is released again or not.
Add the following entry to the section "[best_ext]":
|
delayon = true (Default value) |
(If an entry with the key "delayon" already exists, just change the value accordingly, depending on whether you want to enable ("true") or disable ("false") the feature).
Again, save the configuration file and restart the "Cordaware_bestinformed_best_srv" server service to apply the changes.
FAQ
I have lost access to my OTP application, how do I get a new QR code?
Delete all references to your registration in your administration web interface and re-register with your provider:
1. Log in to your bestzero® administration web interface first. 2. Navigate to the app External registered (Clients > External registered). 3. Click on the "2FA" button (key icon). 4. Now remove all entries associated with your username. 5. Click on the "back" button (arrow symbol). 6. Remove all entries that are assigned to your username here as well. 7. Now open the bestzero® Appsbox and re-register to your provider.
Now you should receive a new QR code that you can include in your new OTP app.
|
No, once you have unlocked an app secured with two-factor authentication and established a connection to the resource behind it, that connection remains.
A concrete example would be sharing a directory via WebDAV:
1. You unlock the app that gives you access to the directory. 2. You mount the directory as a network drive and thus establish an active connection to the resource. 3. You now manually lock the app in the Appsbox.
You now retain access to all files and folders within the directory.
This means that existing connections are preserved, but no new connections can be established.
|