Enable two-factor authentication (2FA) for an extra level of personal and organizational security when logging in to your intranet. 2FA adds a second login step during authentication, requiring a user to enter a time-sensitive rolling code displayed on their phone, in addition to their username and password. To use 2FA, users need a personal or company-issued mobile device, and they need to download a compatible, third-party authenticator app (such as Google Authenticator, Microsoft Authenticator, Authy, or Duo) to the device.
2FA can only be used by regular users. External users can set up multi-factor authentication through the third-party application they use to log in to the intranet. Administrators can choose whether to require 2FA for some or all regular users, or allow regular users the choice to opt-in to 2FA security. Optional 2FA could also be used to give users a period of time to configure 2FA before making it required for login.
For user instructions about setting up 2FA, see Use two-factor authentication (2FA).
Enable two-factor authentication (2FA)
By default, the two-factor authentication feature is off and must be enabled for your intranet.
- Go to the ThoughtFarmer Admin panel: Users & security section > Regular user settings & invitations page.
- Under Two-factor authentication (2FA), select the checkbox Turn on two-factor authentication. Additional options will appear when you select the checkbox.
- If you want to require some or all regular users to use 2FA, select the radio button Only allow admins to enable/disable 2FA for regular users. If you want to allow users the choice to opt-in to 2FA, select the radio button Allow admins and regular users to enable/disable 2FA.
- By default, the Number of 2FA passcode attempts before users are locked out is 3. You can change the value for this option.
- By default, the Number of minutes that the lockout period lasts is 10. You can change this value to change the length of the lockout period.
- Click Save.
- After enabling required 2FA, you must go to the User management page and select which users are required to use it. See Select users required to use 2FA below.
To disable two-factor authentication on the intranet, deselect the checkbox Turn on two-factor authentication and click Save.
If you create a new regular user after 2FA is enabled, there is a checkbox option to enable two-factor authentication for that user on the Create user page. When 2FA is enabled, the default text for new user email invitations includes instructions about activating 2FA. Admins may want to customize the default email invitation text (for example, to provide specifics about the preferred authentication app or a download link).
Select users required to use 2FA
After enabling 2FA for your intranet, you need to select the users who will be required to set up and use 2FA. For users to be required to use 2FA, you must have selected the setting Only allow admins to enable/disable 2FA for regular users on the Regular user settings & invitations page. A user will be asked to set up 2FA the next time they login. If a user is logged in to the intranet when the admin requires that they use 2FA, they will be logged out and forced to set up 2FA on their next login.
- Go to the Admin panel: Users & security section > User management page.
- Filter the users by selecting User type>Regular, and Account status>Active from the filters on the left.
- To further narrow the list, sort, perform a search query, or select additional filters to find the users you are looking for.
- Select the checkbox beside the user(s) you want to require 2FA for. To select all users listed on the page, select the checkbox in the header row.
- Click in the Choose an action... menu and select Enable two-factor authentication. Click Go.
- A checkbox will appear in the 2FA column beside users who are required to use 2FA.
Disable or Reset 2FA
You can disable the 2FA requirement for users who have previously been required to use it. If regular users can opt-in to use 2FA on your intranet, they will still be able to enable it for themselves under their profile security settings.
If a user loses their phone or deletes the authenticator app, you can reset 2FA for them to allow them to set it up again.
To disable or reset 2FA, follow the instructions above under the heading Select users required to use 2FA, but in the Choose an action... menu, select the desired action (disable or reset two-factor authentication). If you disable 2FA, the checkbox will no longer appear in the 2FA column for the users you selected.
To disable two-factor authentication completely, go to the Admin panel: Users & security section > Regular user settings & invitations page and deselect the checkbox Turn on two-factor authentication. 2FA will be deactivated for any user who is required to use 2FA or who has opted-in to using 2FA.