Two Factor Settings Tab

This tab contains options to enable 2FA for your users. It displays all the authentication methods available to the admin as well as the end-users and provides options to enable those authentication methods as both primary and backup 2FA methods for the users. Along with that, there are some additional features that are required while configuration/registration of any authentication method.

Enable 2 Factor Authentication -

This is the master control to Enable or Disable 2FA for all users. Once this option is enabled, the admin can enable 2FA for all its users and then, when users will try to log in to their respective accounts they will have to register themselves with the 2FA method. Once this option is disabled, all the configurations made by any user (admin or end-user) will be kept intact but any users won’t be challenged for 2FA while they log into their accounts.

Note: Once Enable Two-factor Authentication is enabled from the Two Factor Settings Tab, the admin must Enable 2FA for users from the User Management Tab. Admin has the liberty to enable/disable/reset 2FA individually, selectively or in a bulk. (More about this will be discussed later in the User Management Section)

Enable 2 Factor Authentication

Available 2FA Methods and Backup Methods for User -

The plugin supports multiple 2FA methods as given below.

  • Mobile Authenticator (TOTP)
  • Yubikey Hardware token (U2F/WebAuthn)
  • OTP Over Email
  • OTP over SMS
  • Security Questions (KBA)
  • Backup Codes

There are some methods that can be used as backup methods. (namely Security Question, OTP Over Email, and Backup Codes) The backup methods are helpful in cases where the user has forgotten or lost the passcode or the secret key of their primary authentication method.
If a backup method is configured it gives users a sense of security in case they fail to authenticate themselves via the primary method.

We will see more about each of the supported 2FA methods below.

Methods 2 Factor Authentication

2FA Extra Settings -

2FA Extra Settings

1. Allow to reconfigure/reset 2FA

If this field is enabled then the users get the ability to reset their 2FA configuration and reconfigure it again.

Users can look for their 2FA related settings in the Two Factor Configurations page present under the user profile section. Users can see the details of all the 2FA methods available to them. From here users can reconfigure/reset their 2FA authentication methods settings. If backup code is enabled as an authentication method then users can download/enable/disable/change their backup codes from here.

2FA reconfigure

2. Enforce Current/Primary Method for User

The add-on allows the admin to enable multiple 2FA methods for his users. If multiple authentication methods are enabled from the admin console then the users can configure multiple 2FA methods and use any one of them as their primary method. But if the admin wants users to primarily authenticate themselves using any one authentication method then, this feature comes into play.

Let us understand this feature with the help of an example -
Suppose the admin has enabled multiple authentication methods Mobile Authenticator and Yubikey Hardware Token and users have configured them both. Now since both the methods are configured users will be asked to choose any one of the two configured methods for authentication. Once this feature is enabled It completely depends upon the admin to enforce which 2FA method the users should use for 2FA verification.

For some reason, if the user doesn't want to authenticate using the primary method, he/she can use the other configured alternative method

primary method

3.Show Remaining 2FA method after Configuration/Inline Registration -

This feature is useful when the admin has enabled multiple authentication methods. Once users complete configuring their primary authentication method and backup method(if enabled), if this option is enabled then users can choose if they want to configure other authentication methods enabled by the admin or not.

4. Show all Configured Methods to user for validation - {validation}

This feature allows users to select any configured authentication method to validate themselves. Once this feature is enabled, users while logging into their account will get a page that will display a list of all the configured from there user can select anyone to authenticate themselves.

If this option is not enabled users will directly be prompted to validate themselves by the primary authentication methods.