From Catglobe Wiki
Jump to: navigation, search

Two Factor Authentication

Configure settings for secure user login

Configure login settings on User resource template:

If the user resource template is enabled WebAuthn, all users of the user resource template, when login will use WebAuthn for login. If not enable WebAuthn, user can login as normal.


Enable: you are not required configure login to use WebAuthn, just get asking after you are already login

Force: you are required for configure login to use WebAuthn before login

Password: Beside provide device PIN, you must provide password of your account on this site when login

Token: use a hardware token for login

Strict: can configure login to use WebAuthn on only one device

QASBypass: if be selected, qas will run as normal although the WebAuthN is enable

Suggestion settings: 2fa.jpg

Device Requirement

To use WebAuthN your device is required:

Windows need version 1903 (winver)


Set up Windows Hello PIN


If your device still not enable Windows Hello PIN but the user is force or 2facredential, you will meet that message:


WebAuthn enable

If WebAuthN is enable on your user but not Force and you still not register on any device, right after login to system will be asked for register. You can choose for register or not by click Ok or Cancel


If the user already registered on a device or Force, when login will redirect to loginFirst


Select credential on the list and click OK for login. If your account not on the list, click cancel, you will get page for register


To register a user to use WebAuthN when login, follow these steps:


Click OK to accept register

Then input PIN, click OK, you register successful


Login after register

If you already registered on the current device, when login will redirect to loginFirst and your account will be on credential list


Select your account and click OK

Then input PIN for login


If enable password, you must input password after input PIN


Register on another device

When the user already registered on a device, when login will redirect to loginFirst, but your account will not on credential list


Click Cancel, you will be asked for reregister


Click OK for accept reregister, you will receive an email with a code.


Input the code and OK, then input PIN for done


QAS rule

This is the logic for QAS login:

0. If that is the user that is already logged in, don’t do anything

1. If this is the anonymous user => Anon = load qas, otherwise goto 2

2. check if twofa enabled => true = goto 3, false = load qas

3. check if twofa is skipped for qas => true = load qas, false = goto 4

4. check if twofa is required or there is TwoFaCredentials on the account => true = goto 5, false = load qas

5. check if we have full access to that user already => Have full acccess = load qas, otherwise goto 6

6. Redirect to login first with twoFa

In general there are 2 cases will redirect to loginFirst and required login before loading qas (other case will load qas as normal)

Case 1: Fore and not QASBypass (no user login before, or have a user login before but the user doesn’t have admin right to qas user)

Case 2: TwoFaCredentials and not QASBypass (no user login before, or have a user login before but the user doesn’t have admin right to qas user)


Force or 2facredential will redirect to loginFirst if enable PIN, if not PIN will get message: your device does not support

Not force and not 2facredential, can login, if without PIN will not getting ask for register, if PIN will get asking for register