Improving security posture with 2FA
Two-factor authentication (2FA) adds an additional layer of security to user accounts. In order to log in to an account with two-factor authentication enabled, it is necessary to provide both the login password and another factor.
This feature is only available in the Business offering with your own server, as it requires our involvement to setup and enable 2FA applications.
Several 2FA apps are already available including TOTP, a Telegram/Signal/SMS gateway and U2F.
We generally prefer to use third-party 2FA user apps as they provides an additional layer of security. Specifically, we prefer open-source ones so that the community can audit and ensure they function securely and have no intentional or unintentional backdoors (e.g. allowing third-party simultaneous access while you log in).
By default 2FA is optional, hence users are given the choice whether to enable it for their account. Admins, however, may enforce the use of 2FA as shown next.
Enforcement is possible systemwide (all users), for selected groups only, or can also be excluded for certain groups.
These settings can be found in the administrator’s security settings.
When groups are selected/excluded, we use the following logic to determine if a user has 2FA enforced:
If a user loses access to their second factor and backup codes, they won’t be able to log in. An administrator, you can use the Two-Factor Admin Support app to generate a one-time code for them to log in and unlock their account.