Difference between revisions of "2FA"
(→Device Requirement) |
|||
(2 intermediate revisions by the same user not shown) | |||
Line 3: | Line 3: | ||
Two Factor Authentication | Two Factor Authentication | ||
− | = | + | = Configure settings for secure user login = |
− | + | Configure login settings on User resource template: | |
If the user resource template is enabled WebAuthn, all users of the user resource template, when login will use WebAuthn for login. If not enable WebAuthn, user can login as normal. | If the user resource template is enabled WebAuthn, all users of the user resource template, when login will use WebAuthn for login. If not enable WebAuthn, user can login as normal. | ||
Line 21: | Line 21: | ||
'''QASBypass''': if be selected, qas will run as normal although the WebAuthN is enable | '''QASBypass''': if be selected, qas will run as normal although the WebAuthN is enable | ||
+ | |||
+ | Suggestion settings: | ||
+ | [[File: 2fa.jpg]] | ||
= Device Requirement = | = Device Requirement = | ||
Line 133: | Line 136: | ||
Force or 2facredential will redirect to loginFirst if enable PIN, if not PIN will get message: your device does not support | Force or 2facredential will redirect to loginFirst if enable PIN, if not PIN will get message: your device does not support | ||
− | Not force and not 2facredential, can login, if without PIN not getting ask for register, if PIN get asking for register | + | Not force and not 2facredential, can login, if without PIN will not getting ask for register, if PIN will get asking for register |
Latest revision as of 06:13, 2 October 2023
Two Factor Authentication
Contents
Configure settings for secure user login
Configure login settings on User resource template:
If the user resource template is enabled WebAuthn, all users of the user resource template, when login will use WebAuthn for login. If not enable WebAuthn, user can login as normal.
Enable: you are not required configure login to use WebAuthn, just get asking after you are already login
Force: you are required for configure login to use WebAuthn before login
Password: Beside provide device PIN, you must provide password of your account on this site when login
Token: use a hardware token for login
Strict: can configure login to use WebAuthn on only one device
QASBypass: if be selected, qas will run as normal although the WebAuthN is enable
Device Requirement
To use WebAuthN your device is required:
Windows need version 1903 (winver)
Set up Windows Hello PIN
If your device still not enable Windows Hello PIN but the user is force or 2facredential, you will meet that message:
WebAuthn enable
If WebAuthN is enable on your user but not Force and you still not register on any device, right after login to system will be asked for register. You can choose for register or not by click Ok or Cancel
If the user already registered on a device or Force, when login will redirect to loginFirst
Select credential on the list and click OK for login. If your account not on the list, click cancel, you will get page for register
Register
To register a user to use WebAuthN when login, follow these steps:
Click OK to accept register
Then input PIN, click OK, you register successful
Login after register
If you already registered on the current device, when login will redirect to loginFirst and your account will be on credential list
Select your account and click OK
Then input PIN for login
If enable password, you must input password after input PIN
Register on another device
When the user already registered on a device, when login will redirect to loginFirst, but your account will not on credential list
Click Cancel, you will be asked for reregister
Click OK for accept reregister, you will receive an email with a code.
Input the code and OK, then input PIN for done
QAS rule
This is the logic for QAS login:
0. If that is the user that is already logged in, don’t do anything
1. If this is the anonymous user => Anon = load qas, otherwise goto 2
2. check if twofa enabled => true = goto 3, false = load qas
3. check if twofa is skipped for qas => true = load qas, false = goto 4
4. check if twofa is required or there is TwoFaCredentials on the account => true = goto 5, false = load qas
5. check if we have full access to that user already => Have full acccess = load qas, otherwise goto 6
6. Redirect to login first with twoFa
In general there are 2 cases will redirect to loginFirst and required login before loading qas (other case will load qas as normal)
Case 1: Fore and not QASBypass (no user login before, or have a user login before but the user doesn’t have admin right to qas user)
Case 2: TwoFaCredentials and not QASBypass (no user login before, or have a user login before but the user doesn’t have admin right to qas user)
Note
Force or 2facredential will redirect to loginFirst if enable PIN, if not PIN will get message: your device does not support
Not force and not 2facredential, can login, if without PIN will not getting ask for register, if PIN will get asking for register