Skip to content

Enforcing Two Factor Authentication (MFA)

For enhanced security, you can enforce the second layer of authentication for your users to access their Securden accounts. Users will have to authenticate through two successive stages. It is strongly recommended to activate Two Factor Authentication (2FA).

To Configure Two-Step Verification, Navigate to Admin >> Authentication >> Two Factor Authentication in the GUI to perform this step.

Configuring Two Step Verification

At present, Securden supports:

Configuring Two Step Verification

  • Mail OTP - Securden generates a one-time password to be used as the second authentication factor and sends that to the registered email address of the respective user.

  • Google/Microsoft/TOTP Authenticator - You can use any Timebased One-Time Password (TOTP) authenticator app on your phones such as Google Authenticator, Microsoft Authenticator, and others. If you are using any other TOTP authenticator, you may edit the 'TOTP Identifier' and give it the required name.

  • RADIUS Authentication - You can integrate the RADIUS server or any RADIUS-compliant two-factor authentication system like OneSpan Digipass, RSA SecurID, etc. for the second-factor authentication.

  • Email to SMS Gateway - If you are already using an Email to SMS gateway software, you can integrate that with Securden to send OTP to users through SMS.

  • Duo Security Authentication – If you have enrolled in Duo Security, you can easily integrate that with Securden and make use of the various authentication methods (security key, biometric authenticator, touch ID, web authentication, and more).

  • YubiKey Authentication – You can also make use of a YubiKey as a second-factor authentication, which generates one-time passwords upon integration.

Mail OTP

In the case of Mail OTP 2FA, the user must first complete the first level of authentication, and then Securden will email a randomly generated password to the user. This password will only be available for the current session and will expire when the user logs out. The user has to enter the password to authenticate the second level and then they will have access to the Securden PAM application.

To configure Mail OTP for 2FA:

  1. Navigate to Admin >> Authentication >> Two-Factor Authentication
  2. Select Mail OTP as your option and click confirm.

Google Authenticator/Microsoft Authenticator/TOTP Authenticator

Google Authenticator provides a six-digit code to authenticate the second level of access for authentication. Microsoft Authenticator and TOTP Authenticator work the same way.

Prerequisites: You need to install the Google Authenticator/Microsoft Authenticator/TOTP Authenticator app on your mobile phone or tab.

The app generates a six-digit number every 30 seconds and you receive the code instantaneously with the app.

To use Google/Microsoft Authenticator as your 2FA method,

  1. Navigate to Admin >> Authentication >> Two-Factor Authentication.
  2. Choose the option Google Authenticator/Microsoft Authenticator/TOTP Authenticator.
  3. Click Confirm.

Global 2FA Enforcement

Securden provides you with the option of enforcing the 2FA for all the users of the organization. You can also enable this feature for only the new users of your organization.

Configuring Two Step Verification

Selective 2FA Enforcement

You also have the option to selectively enforce/disable 2FA for specific users or user groups from User (or) User Group >> More Actions >> Enable/Disable 2FA. In addition, while enabling 2FA for all users, you can selectively exempt specific users from 2FA enforcement by disabling 2FA for them.

Allow Users to Trust Browser

You have the option to allow your users to mark their browsers as Trusted and skip 2FA. Upon entering the second authentication factor, the users can mark the browser as trusted for a specific number of days or forever. Once marked, users won't be prompted to enter the second authentication code until the end of the trust period.

Configuring Two Step Verification

To enable this feature navigate to Admin >> Two Factor Authentication >> Configure Browser Trust Option link, and the pop-up box will appear. Here, you can specify the maximum period until which the browser trust option would be in effect after being enabled by a user. You may either enter a specific number of days or even choose to have it enabled forever. After the end of this period, the user will have to enter the second authentication factor code once and exercise the trust option again.

Troubleshooting Tips

Issue: 2FA code is not accepted in the UI.

Solution:

The most probable reason for MFA not working is that the time on the mobile device is not synchronized. To troubleshoot this issue,

  • Go to your phone Settings.
  • Navigate to Date & Time settings.
  • Turn ON Set Automatically (in iPhone) or Turn ON Use Network-Provided Time (in Android).
  • Restart Google Authenticator / Microsoft Authenticator app.
  • Now, try to login to Securden using the latest MFA code.