Two-step authentication

From ISPWiki
Jump to: navigation, search

General description

Two-step authentication is a technology that provides identification of users by means of the combination of two different components.

  • 1 step: enter a user login and password of BILLmanager account.
  • 2 этап: enter a six-digit password generated through м Google Authenticator.

Enabling two-step authentication for users

  • Navigate to User settings -- to activate two-step authenticationTwo-step authentication.

186x

  • Click Enable two-step authentication.

518x

  • You will see a new form with a QR-code containing an encrypted account name, secret, "Account name" and "Secret" fields, as well as a field for confirmation code.

Google Authenticator

Google Authenticator is supported by Android, iPhone, and BlackBerry, it can run without active Internet connection or mobile service.

Setup and configuration of Google Authenticator on Android

The application can be installed on Android 2.1. and later.

  • Log in to Google Play, search for Google Authenticator, download, and install the app.
  • Run Google Authenticator (A QR-code reader might be downloaded together with Google Authenticator. You won't need it). Follow the step-by-step setup process.
  • Enable 2-step authenticatio in BILLmanager (see the instructions above). Return to Google Authenticator, click «+», and select «Scan QR-code».
  • Scan the QR code that appears. You will see a six-digit code, which will change once in 30 seconds. Enter the code into the «One-time password» field in BILLmanager. If you don't have enough time to do this, you will need to generate a new one.
  • Once finished, click «ОК» in BILLmanager.

Setup and configuration of Google Authenticator oniPhone, iPod, iPad

The application can be installed oniPhone, iPod Touch and iPad starting from iOS 5.0. You can configure the app using a QR-code only on iPhone 3G or later.

  • Log in to App Store, search for Google Authenticator, download, and install the app.
  • Run the app and follow the step-by-step setup process.
  • In the form that will open, select «Scan QR-code».
  • Scan the QR code in BILLmanager. You will see a six-digit code,
  • Enter the code into the «One-time password» field in BILLmanager. If you don't have enough time to do this, you will need to generate a new one.
  • Once finished, click «ОК» in BILLmanager.

Authentication

If you enable 2-step authentication for BILLmanager user, he will need to complete 2 steps on the login form:

  • Enter the username and password:
  • You will see a new field for entering the 6-digit code generated in Google Authenticator. If you enter a correct code, you will be successfully logged in to the billing panel.

Disabling 2-step authentication

  • Navigate to the "User settings" module.
  • Click "Disable two-step authentication" and enter the 6-digit code generated in Google Authenticator.

In order to disable 2-step authentication via console, remove the relevant data from the database /usr/local/mgr5/etc/ispmgr.db, "totp" table.

Troubleshooting

Attention! For successful configuration of 2-step authentication, make sure that your server time and mobile device (with Google Authenticator installed) time are synchronized.

If you have issues with 2-step authentication, or QR-code cannot be used, comlete the following steps:

1. Check your server time and date.

2. Check Google Authenticator settings in the "Settings" menu -- «Correct time for QR-codes» -- «Synchronize». You will see a confirmation message. Now you can use temporary codes to set up 2-step authentication. Synchronization may influence only an internal name of Google Authenticator and is not shown in device data and time settings.

3. If in «Google Authenticator» you cannot find «Settings», check time synchronization in your mobile device.

Confirmation for form elements

You can configure verification for a form field using the requireauth="yes" attribute. Create a plug-in MGRNAME_mod_plugin_name.xml in the /usr/local/mgr5/etc/xml direcory. Example for ISPmanager: /usr/local/mgr5/etc/xml/ispmgr_mod_totp.xml

        <?xml version="1.0" encoding="UTF-8"?>
        <mgrdata>
        <metadata name="usrparam" type="form">
             <form>
                <field name="hintview">
                    <select name="hintview" requireauth="yes"/>
                </field>
             </form>
        </metadata>
        </mgrdata>

In the above example a user will be asked to enter a code when he saves changes in the "Hints" field in the "User settings" module. If the requireauth="yes" attribute is put into the <FORM> tag, a confirmation code will be required when a user changes any field of that form.

Confirmation of group operations

Let's create a plug-in that will ask a client to enter a confirmation code when he performs group operations:

/usr/local/mgr5/etc/xml/ispmgr_mod_totp.xml

        <?xml version="1.0" encoding="UTF-8"?>
        <mgrdata>
        <metadata  name="webdomain">
            <toolbar>
                <toolbtn name="resume" requireauth="yes"/>
            </toolbar>
        </metadata>
        </mgrdata>

Before a WWW-domain is disabled, a user will be asked to enter a confirmation code.

Attention! If you write a plug-in on <toolbtn>, make sure that the <toolbtn> tag contains the type="group" attribute and value of the func attribute is created in the format LIST_NAME.FUNCTION_NAME. In the example above, the <toolbtn> tag has the func="webdomain.resume attribute.

For more information on how to write plug-ins, please refer to:

ISPmanager: Plug-in example. How to add a menu module

ISPmanager: Plug-in example. How to change a domain directory

Important notes

When you grant access to ISPSystem's Support team, a confirmation code on the login form won't be required.

If you activate two-step authentication for a user, when you drill down to the user level from root/Admin, a confirmation code won't be required.

NOTE if you have plug-ins that require confirmation for operations, you (if you login as user) will be asked to enter a code to complete an operation.