Two Factor Authentication

From Explore Analytics: The Wiki
Jump to navigation Jump to search

Overview

Two-factor authentication, or two-factor login, mitigates the vulnerability of the standard password-only approach to authentication by also requiring the user to receive and enter a code.

Two-factor login is not set by default. You can setup two-factor login as explained later on this page.

How Does Two-Factor Login Work

When you log in to Explore Analytics, you first enter your email and password. This is considered the first factor. You are then prompted to enter a code that is sent to you via a mobile phone text message (SMS). This is the second factor.

If for some reason, you temporarily cannot receive text messages, the code may be sent to you via email instead. You’ll first be challenged with security questions, and then you’ll be sent the code via your email. It is vital, for this reason, that your email will use a different password than the password used for Explore Analytics and that your email will also be protected with a two-factor authentication.

For convenience, you can check a box labeled “trust this device” and then subsequent logins from this browser on this device will not require the second factor. Nevertheless, any login attempt from a new IP address, from a hotel for example, would still require the second factor. In other words, the device is only trusted if it’s connecting from an IP address from which it successfully logged in in the past.

The Login Process

The first step is to enter your email and password onto the login page as usual. If successful, you are then prompted for a 6-digit code.

The prompt for the code is skipped if both conditions are satisfied:

  • You had previously logged in from this device and checked the box “trust this device”. By device here we mean the browser on the particular computer, phone, or tablet.
  • You had previously logged in from this IP address.

Based on your two-factor login setup, you are then sent the code via a mobile text message or via email. You then enter the code and you can check the box to “trust this device”.

Two factor login.png

Limitations

The two-factor login only applies when the user logs in using the login page.

If the user uses the “Keep me signed in” option, then while they are kept signed in they don’t need to go through the login page.

Single sign-on to Explore Analytics from a trusted application such as ServiceNow does not challenge the user for a second factor. This is also true for “Sign in with Google”.

Using Email as the delivery method for the second factor is problematic because an attacker might first gain access to the user’s Email account and then proceed to compromise their Explore Analytics account.

Using mobile text message as the delivery method has the advantage of being a physical device, but creates a problem if the user loses their device or runs out of battery or cell phone reception. To still allow the user access to Explore Analytics, the user’s email is used as a backup delivery method in that case after the user answers preset security questions.

Due to the security limitations of using email as the delivery method, it is vital that the user’s Email would also require two-factor login.

Customer (tenant) administrators can reset user’s two-factor settings. It is vital that administrators authenticate any request to reset a password or two-factor settings. An email from the user saying “please turn off my two-factor settings” could actually be coming from an attacker who has compromised the user’s email and stolen their identity.

Setup

To setup two-factor login, click on your name at the top-right corner of the Explore Analytics user interface. Then select “Setup two factor login” from the pop-up menu.

Profile menu.png

This brings up the Setup Two Factor Login dialog. This dialog has 4 steps:

  • Questions – If you haven’t setup security questions before, you’ll be prompted to set those up now. If that step has already been completed, the dialog starts at the second step.
  • Select Type – Here you can turn two factor login off (None) or turn it on by selecting one of the other 3 options. Select Mobile phone text message. This option will use a text message to deliver the 6-digit code to you. With this option, email will only be used as a backup in case you can’t receive text messages and you’ll need to answer security questions before the code will be delivered by email.
  • Test – before the new setup is saved, it must be tested. Click “Send Test Code” and then enter the code into the dialog.
  • Done – before the new setup is saved, you need to acknowledge a note about email security. Because email is used as an option, it must be secure.

Setup two factor.png

Turning Two Factor Off

If you previously setup two factor, you can turn it off by returning to this dialog and setting the type to “None”

Turning Two Factor Off for Another User

If you are an administrator, you can change a user’s two-factor setup by impersonating the user, and then editing their setup.