It is possible to set up the Google Authenticator service to provide your Multi-Factor Authentication for the Hosting Portal. This page explains how the service works and how to set it up for hosting.
What is Google Authenticator?
The following is taken from the Wikipedia Google Authenticator Page:
Google Authenticator is a software-based authenticator that implements two-step verification services using the Time-based One-time Password Algorithm (TOTP; specified in RFC 6238) and HMAC-based One-time Password algorithm (HOTP; specified in RFC 4226), for authenticating users of mobile applications by Google.
When logging into a site supporting Authenticator (including Google services) or using Authenticator-supporting third-party applications such as password managers or file hosting services, Authenticator generates a six- to eight-digit one-time password which users must enter in addition to their usual login details.
Previous versions of the software were open-source but subsequent releases are proprietary.
The main benefits of using Google Authenticator are:
- Uses the same secure method of creating one time passcodes that we already use for our current two factor.
- It is completely free for us and the user.
- No need to wait for an email, SMS, phone call.
The app is available for Android and iOS
Prerequisites
The Google Authentication method must be added to the TwoFactorMethodConfigurations table and set to enabled. Setting this can only be done on the database. See Matt.G, James or Ian if you need this done.
Adding Google Authentication
There are two ways to allow a user to use Google Authentication.
User Profile - Add authentication to your own account
If available, you can set Google authentication for yourself on your User Profile Page. This can be accessed by mousing over your name in the the top right of the Hosting Portal and then clicking the "My Profile" drop down.
From the "My Profile" page click the "Edit button". This will display your profile details including your available and set authentication methods. Tick the "Google Authenticate" option and then "Save".
You will then be prompted to visit the authenticator settings page
You will notice that the profile page will now have a new button. Click the "Google Authenticate Settings" button.
In your authenticator app add an account and scan the shown QR code.
Enter the code shown into the confirmation box and click "Confirm". You will get a toast notification indicating whether adding the authentication was successful or not.
User management - Add authentication to another user
Note that this requires Pellcomp or Supervisor permissions.
In the "Manage Users" section, edit a user. The "Google Authenticate" option will show if it is available. Tick it to add it.
The next time the user logs in, they will be prompted to set it up using the profile method detailed above.
Removing Google Authentication
This can again be done in the the user profile or the manage users section. Simply un-tick the Google Authenticate option or click the remove authenticator option in the authenticator settings
How to use - The login process
The login process is pretty much the same as normal.
ADFS will ask for your username/password.
You will be prompted to select a two factor method. Note that if Google Authenticate is your only available option AND you have not yet set it up you will be allowed to select email as your two factor method. This will allow you to login so you can setup your authenticator.
For non Pellcomp users, if Google authenticate is your only available option and you have not set it up yet, you will be directed to and limited to the Profile section of the hosting site. A notification instructing the user to setup authentication will be shown.