Articles in this section

See more

Two-Factor Authentication (2FA)

Avatar
Anders
  • Updated
Follow

Two-factor authentication, also known as 2FA, is a type of multi-factor authentication (MFA). It is a more secure way of confirming a user's identity when they try to log in to Paligo as they will need to provide:

  • Username and password

    This is something only the user should know.

  • Verification code

    This code is generated by an authentication application that runs on a device that the user has with them, typically a smartphone, but it could be a computer or tablet.

This combination of something the user knows and something the user has with them is much more secure than only using a username and password. For example, if you have 2FA enabled and someone gets access to your password, they will not be able to log in. Because they would also need access to your device (smartphone, tablet, etc.) so that they could get the verification code. The password on its own is not enough to gain access.

To use two-factor authentication in Paligo:

  1. Set Up Two-Factor Authentication

  2. Log In using 2FA.

    If you do not have the verification code for logging in, you can use a backup code instead.

If there is a suspicious log-in attempt on your account, you should reset your password and remove any unusual locations from your Trusted Locations for 2FA.

Set Up Two-Factor Authentication

The process for setting up two-factor authentication (2FA) in Paligo varies, depending on whether you have the Enterprise plan or one of our other plans.

  • On the Enterprise plan, administrator users can enable 2FA on all accounts at once.

  • On other plans, each user has to enable 2FA on their individual user account. Administrators can only ask users to do this, they cannot do it for them.

When you have enabled two-factor authentication in Paligo, each user can associate their user account with an authentication app, such as Authy (https://authy.com). The app will generate the validation code they need for logging in.

Enable 2FA for All User Accounts

If your Paligo account is on the Enterprise plan, you can:

  • enable two-factor authentication (2FA) on all user accounts at once. You can also force all users to set up 2FA for their user accounts the next time they try to log in.

  • enforce a password rotation policy.

Note

If your Paligo account is on a different plan, see Enable 2FA on Individual User Accounts.

To set up 2FA and password rotation policy for all user accounts:

  1. Log in to Paligo as an administrator.

  2. Select the avatar in the top-right corner. User avatar. It shows the user's image and their name. Next to the name is a downward pointing arrow, which when selected, reveals a menu.

  3. Select Settings from the menu. Cog icon.

  4. Select the Users tab. Users.png

    Users_tab_2.jpg

  5. Paligo displays the settings page, which shows the Users tab by default. It contains a list of your Paligo users. A shield icon shows the 2FA status of the user accounts:

    • Green icon - User has enabled 2FA and associated a verification app. These users are ready to use 2FA.

    • Gray icon - User has enabled 2FA but has not associated their Paligo account with a verification app.

    • No icon - User has not enabled 2FA or associated Paligo with a verification app.

  6. Select the Password policy button to display the password settings dialog.

    Password_Policy.jpg

  7. In the Authentication section:

    • Check Auto-enable two factor authentication box if you want Paligo to use two-factor authentication (2FA) for all user accounts.

    • Check Enforce setup box if you want users to set up 2FA for their user account the next time they log in. To get access to Paligo, they will need to run an authentication app on their smartphone or another device and associate it with Paligo. They will be unable to log into Paligo until they have set up 2FA.

      If you leave the checkbox unselected, users will be able to postpone setting up 2FA for their user accounts. Until they set up 2FA, they will be able to log in with only their username and password, which is less secure.

      Note

      You can only enforce 2FA setup if you also check the Auto-enable two factor authentication setting.

    Password Policy dialog showing various settings, including the Authentication settings for two-factor authentication.

  8. Select Save.

When your Paligo users next log in, they will be prompted to Log In using 2FA.

Enable 2FA on Individual User Accounts

There are two ways to enable two-factor authentication (2FA) on user accounts.

  • If you have the Enterprise plan, an administrator can enable 2FA on all user accounts at once, see Enable 2FA for All User Accounts. Or you can let each user enable 2FA for themselves, see below.

  • Each user can enable 2FA on their own user account independently. If you do not have the Enterprise plan, this is the only way to enable 2FA.

To enable 2FA on your own user account:

  1. Select the avatar in the top right corner. User avatar. It shows the user's image and their name. Next to the name is a downward pointing arrow, which when selected, reveals a menu.

  2. Select My Profile. My_Profile.jpg

    danni-profile-login.jpg

  3. On the General Options tab, use the slider button to enable 2FA for your user account (the background of the slider is blue when 2FA is enabled and white when it is disabled).

    enable-2fa-on-profile.jpg

  4. Select Save.

When you next log in to Paligo via this user account, you will be asked to provide a username and password and also to set up two-factor authentication. To find out more, see Log In using 2FA.

Log In using 2FA

The process for logging in to Paligo using two-factor authentication (2FA) varies depending on whether you are logging in:

  • For the first time since 2FA was enabled

  • From a location that you have already verified for 2FA. This is a "trusted location".

  • From a new location. Paligo regards the new location as suspicious, so you will need to verify your login.

The following sections describe the steps to follow for each of these scenarios.

First-Time Login - 2FA

If you are logging in to Paligo for the first time since two-factor authentication has been enabled:

  1. Open a browser and go to the url for your Paligo instance. Paligo displays the log-in page. Enter your log in details and select Sign In.

  2. On the the Two factor authentication setup page, there is a QR code and a secret key.

    Two factor authentication 2FA authentication setup page showing QR code and secret key. Both blurred for security in image.

    On your phone or other device, install an authentication app, such as Authy or Google Authenticator, and add a new device. Choose to either scan a barcode or provide a key, depending on what the app supports and what device you have.

    • If you chose to scan a barcode, use your device's camera to scan the QR code.

    • If you chose to provide a key, enter the secret key numbers and letters.

    The authentication application then generates a verification code.

  3. Enter the verification code in the field on the two factor authentication setup page and select Continue.

    If the verification code is correct, a success message is displayed and you are provided with a code. You should make a record of this code as you can use it to log in if you have lost your device. (The code can only be used once).

    2factor-first-login-setup.jpg

    If the verification code is wrong, an error message appears. Please check the verification code in your authentication app and enter it again. The verification code in your authentication app will change automatically every 30 seconds.

    Important

    Make sure that your device shows the correct time. The verification code will only work if the time on your device is correct.

  4. Press Continue to log into Paligo.

When you successfully log in from a device, your location is added to your list of trusted locations. When you log in from a trusted location, you can use your username and password without a verification code, as Paligo knows you have verified that location before.

If you need to log in from a different location, Paligo will ask for your username, password, and verification code. If you do not have access to the device that runs your authentication app, you can use the backup code to log in.

Log In from a Trusted Location - 2FA

If you are logging in from a trusted location, you only need to provide your Paligo username and password. There is no need for a verification code.

A trusted location is a place where you have previously logged in to Paligo and provided a verification code. Your user account has a list of trusted locations, and Paligo will let you log in to those with only a username and password, unless any of the following are different:

  • IP address or location

  • Browser and browser version

  • Operating system

If any of the above are different, Paligo will ask you to enter a verification code. You will need to get the verification code from the authentication app on your smartphone, tablet, etc. If you do not have access to the authentication app, you can use your backup code instead.

Note

When you log in from a new location, Paligo sends you an email containing details of the log in. If this looks suspicious, you should change your password immediately.

Log In from a New Location - 2FA

If you have two-factor authentication enabled and you want to log in to Paligo from a new location, you will need to provide:

  • username

  • password

  • verification code.

This is because the location has not yet been verified and so is not in your list of trusted locations.

The verification code is generated by the authentication app you used to set up two-factor authentication for your user account. Typically, it runs on your smartphone, tablet, or similar device.

If you do not have access to your authentication app, you can use your backup code instead.

Log In Using Backup Code

If you have two-factor authentication set up in Paligo, you need to provide a username, password, and verification code each time you log in from a new location. You can also use a backup code instead of the verification code and this is useful if you have lost the device that runs your authentication app (typically a smartphone) or it has been stolen or destroyed.

Paligo emails the backup code to you when 2FA is first set up for your user account. So if you have access to your email, you can get the backup code and use that instead of the verification code.

Note

If you do not have your backup code, an administrator can reset 2FA for your user account. This completely removes the 2FA association between your Paligo user account and the authentication app on your smartphone, tablet, etc. You can then start the log-in process and set up a new 2FA association if required.

It is the responsibility of the administrator to make sure that each user is who they claim to be and is authorized to access your Paligo instance. If you need to verify the identity of an administrator user, please contact Paligo support. When the administrator user is verified as genuine, Paligo support can reset the 2FA association.

To log in using the backup code:

  1. Browse to your Paligo instance and enter your username and password as usual.

  2. When prompted to enter a validation code, select the "I don't have my device" hyperlink to reveal a message and checkbox.

    Please verify your login page. Enter the verification code from your authentication app to log in.

  3. Select the checkbox to switch the verification code field to a backup code field.

    Please verify your login page. Shows "Don't have your verified device?" information. Select the checkbox to be able to use backup code instead of verification code.

  4. Enter your backup code. This is the backup code that Paligo emailed to you when you first set up 2FA for your user account or the previous time you used a backup code to log in.

    When you enter the correct backup code, you are logged in to Paligo. The backup code you used is now invalid. Paligo emails a new backup code to you.

Trusted Locations for 2FA

When you successfully log in from a device, your location is added to your list of trusted locations. When you log in from a trusted location, you can use your username and password without a verification code, as Paligo knows you have verified that location before.

Your "trusted locations" are listed in your user profile. You can view them there, and if necessary, you can remove them too. For example, if you think a login looks suspicious because it is from a location you do not recognize, you can delete the location.

To see the "trusted locations" that are associated with your user account:

  1. Select the avatar in the top right corner. User avatar. It shows the user's image and their name. Next to the name is a downward pointing arrow, which when selected, reveals a menu.

  2. Select My Profile. My_Profile.jpg

    danni-profile-login.jpg

  3. Select the Trusted Devices tab.

    The Trusted Devices tab contains a list of the "trusted devices" that are associated with your user account. For each device, Paligo keeps a record of the IP address, Internet Service Provider (ISP), approximate Location, Browser and version, operating system (OS) and version, and the time and date that you Verified the device.

    Trusted locations tab showing several trusted locations and information about each, including IP address and service provider. There is also a Remove button for each trusted location.

  4. If you see a location that looks suspicious, you can delete it by selecting the Remove button for that location. If you remove a location it is no longer trusted, so any login attempt from that location will need to be verified.

Lost or Stolen Phone for 2FA

If the smartphone, tablet, or computer that runs your authentication app is lost or stolen, you are not going to be able to provide the verification code for Paligo. But there is another way to log in. Instead of using the verification code, you can use the backup code that Paligo emailed to you when you first set up your Paligo account. The backup code can only be used once.

When you use a backup code, Paligo generates a new backup code to replace it, and sends that to your email address.

To find out how to use the backup code, see Log In Using Backup Code.

Important

If you have lost the device that runs your authentication app, or you think it has been stolen, ask an administrator user to reset your MFA (multi-factor authentication) device. This will remove the association between Paligo and your lost/stolen device. Should someone try to use the device to log in to Paligo, they will be unable to generate an acceptable validation code.

Lost Backup Code

When you first set up two-factor authentication, Paligo sends you a backup code via email. You can use the backup code to log in instead of using the verification code, but you can only use it once. When you use a backup code, Paligo sends you a new one via email, and you can use that backup code for future log-ins if needed.

If you do not have your backup code, an administrator can reset 2FA for your user account. This completely removes the 2FA association between your Paligo user account and the authentication app on your smartphone, tablet, etc. You can then start the log-in process and set up a new 2FA association if required.

To find out more about setting up a new 2FA association between Paligo and your authentication app, see Log In using 2FA.

If you have found your backup code in your emails, you can use it to log in.

Suspicious Login Attempts 2FA

With two-factor authentication (2FA), Paligo can detect the approximate location of a device that is used for a login attempt. It this location is different to where you have previously logged in, Paligo sends you an email.

If you receive one of these emails, check the location and if you think it looks suspicious, change your password immediately. You can also remove the location from Trusted Locations for 2FA.

Note

If you are unable to change your password, contact your Paligo administrator to assist you to Reset Password.

To change your password:

  1. Select the avatar in the top right corner. User avatar. It shows the user's image and their name. Next to the name is a downward pointing arrow, which when selected, reveals a menu.

  2. Select My Profile. My_Profile.jpg

    danni-profile-login.jpg

  3. Select Logout.

  4. On the Paligo login page, select the Forgot password link.

  5. On the Password recovery page, enter your email address or username.

  6. Select Reset password.

  7. If your email address or username is registered in your Paligo instance, Paligo will send you an email containing a link. When you select the link, you can reset your password and then log in.

    Note

    If you do not receive an email, please check your junk and spam folders.

Reset MFA Device for a User Account

Administrators can use the Reset MFA Device feature to remove the association between a user's Paligo account and their verification app. When this association is removed, the user will need to set up their account for two-factor authentication again, from scratch.

The most common reasons for resetting an MFA device are that a user has:

  • Lost their smartphone (or other device that runs the authentication app) and has also lost their backup code.

  • Had their device(s) stolen and you want to prevent the device(s) from being used to access Paligo.

  • Had their location removed from the list of trusted locations.

To reset the association between a user account and a verification app:

  1. Log in to Paligo as an administrator.

  2. Select the avatar in the top-right corner. User avatar. It shows the user's image and their name. Next to the name is a downward pointing arrow, which when selected, reveals a menu.

  3. Select Settings from the menu. Cog icon.

  4. Select the Users tab. Users.png

    Users_tab_2.jpg

  5. Select the dotted button ( ... ) to the right of the user account you want to reset.

  6. Select Edit.

  7. Select General Options tab,.

  8. Select the Reset MFA Device button. A message is displayed to warn you that resetting will mean that the user will need to set up a new device for two-factor authentication.

    If you accept that, select Reset MFA Device to confirm.

    Edit user dialog. Reset MFA device button is highlighted at the bottom of the dialog.

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk