Two-Factor Authentication
Improving security posture with 2FA
1. Introduction
Two-factor authentication (2FA) adds an additional layer of security to user accounts. In order to log in to an account with two-factor authentication enabled, it is necessary to provide both the login password and another factor.
This feature is only available in the Business offering with your own server, as it requires our involvement to setup and enable 2FA applications.
Several 2FA apps are already available including TOTP, a Telegram/Signal/SMS gateway and U2F.
2. Enabling 2FA
We generally prefer to use third-party 2FA user apps as they provides an additional layer of security. Specifically, we prefer open-source ones so that the community can audit and ensure they function securely and have no intentional or unintentional backdoors (e.g. allowing third-party simultaneous access while you log in).
3. Enforcing 2FA
By default 2FA is optional, hence users are given the choice whether to enable it for their account. Admins, however, may enforce the use of 2FA as shown next.
Enforcement is possible systemwide (all users), for selected groups only, or can also be excluded for certain groups.
These settings can be found in the administrator’s security settings.
When groups are selected/excluded, we use the following logic to determine if a user has 2FA enforced:
- If no groups are elected, 2FA is enabled for everyone except members of the excluded groups.
- If groups are selected, 2FA is enabled for all their members. If a user is in both in a selected and excluded group, the selected takes precedence and 2FA is enforced (i.e. we err on the side of caution).
If a user loses access to their second factor and backup codes, they won’t be able to log in. An administrator, you can use the Two-Factor Admin Support app to generate a one-time code for them to log in and unlock their account.