2FA

From Catglobe Wiki
Jump to: navigation, search


Two Factor Authentication

User Resource template

Add Login settings on User resource template:

If the user resource template is enabled WebAuthn, all users of the user resource template, when login will use WebAuthn for login. If not enable WebAuthn, user can login as normal.

2fa1.png

Enable: you are not required configure login to use WebAuthn, just get asking after you are already login

Force: you are required for configure login to use WebAuthn before login

Password: Beside provide device PIN, you must provide password of your account on this site when login

Token: use a hardware token for login

Strict: can configure login to use WebAuthn on only one device

QASBypass: if be selected, qas will run as normal although the WebAuthN is enable

Device Requirement

To use WebAuthN your device is required:

Windows need version 1903

2fa2.png


Set up Windows Hello PIN

2fa3.png


If your device still not enable Windows Hello PIN but the user is force or 2facredential, you will meet that message:

2fa4.png

WebAuthn enable

If WebAuthN is enable on your user but not Force and you still not register on any device, right after login to system will be asked for register. You can choose for register or not by click Ok or Cancel

2fa5.png


If the user already registered on a device or Force, when login will redirect to loginFirst

2fa6.png

Select credential on the list and click OK for login. If your account not on the list, click cancel, you will get page for register

Register

To register a user to use WebAuthN when login, follow these steps:

2fa7.png

Click OK to accept register


Then input PIN, click OK, you register successful

2fa8.png

Login after register

If you already registered on the current device, when login will redirect to loginFirst and your account will be on credential list

2fa9.png

Select your account and click OK


Then input PIN for login

2fa10.png


If enable password, you must input password after input PIN

2fa11.png

Register on another device

When the user already registered on a device, when login will redirect to loginFirst, but your account will not on credential list

2fa12.png


Click Cancel, you will be asked for reregister

2fa13.png


Click OK for accept reregister, you will receive an email with a code.

2fa14.png


Input the code and OK, then input PIN for done

2fa15.png

QAS rule

This is the logic for QAS login:

0. If that is the user that is already logged in, don’t do anything

1. If this is the anonymous user => Anon = load qas, otherwise goto 2

2. check if twofa enabled => true = goto 3, false = load qas

3. check if twofa is skipped for qas => true = load qas, false = goto 4

4. check if twofa is required or there is TwoFaCredentials on the account => true = goto 5, false = load qas

5. check if we have full access to that user already => Have full acccess = load qas, otherwise goto 6

6. Redirect to login first with twoFa

In general there are 2 cases will redirect to loginFirst and required login before loading qas (other case will load qas as normal)

Case 1: Fore and not QASBypass (no user login before, or have a user login before but the user doesn’t have admin right to qas user)

Case 2: TwoFaCredentials and not QASBypass (no user login before, or have a user login before but the user doesn’t have admin right to qas user)

Note

Force or 2facredential will redirect to loginFirst if enable PIN, if not PIN will get message: your device does not support

Not force and not 2facredential, can login, if without PIN not getting ask for register, if PIN get asking for register on new login page