Enterprise Recon 2.5.0

Two-factor Authentication (2FA)

Two-factor authentication (2FA) secures user accounts by requiring users to enter an additional verification code when signing in on the Web Console.

See the following topics for more details:

Who Can Enable 2FA for User Accounts

  • All users can enable 2FA for their own user accounts.
  • If 2FA is not globally enforced, all users can disable 2FA for their own user accounts.
  • To enable 2FA on user accounts other than your own, you must be a Global Admin or System Manager.
  • To enforce 2FA for all user accounts, you must be a Global Admin or System Manager.

See User Permissions for more information.

Enable 2FA for Own User Account

As an individual user, you can enable 2FA for your own user account by doing the following:

  1. Log in to the ER2 Web Console.
  2. Go to the [Username] > My Account page.
  3. Set the toggle button to On for Two-factor Authentication (2FA).
    Two-factor Authentication (2FA) enabled for User A in My Account details page.
  4. Select Setup 2FA to set up your authenticator device. Otherwise, you will be prompted to set up your authenticator device the next time you sign in.

Enable 2FA for Individual User Accounts

As a Global Admin or System Manager, enable 2FA on a single user account by doing the following:

  1. Log in to the ER2 Web Console.
  2. Go to the Users > User Accounts page.
  3. Click Edit for the selected user.
  4. Set the toggle button to On for Two-factor Authentication (2FA) and click Save.
    Two-factor Authentication (2FA) enabled for User A in User Details page.

The user will be prompted to set up 2FA authentication the next time they sign in.

Enforce 2FA for All Users

As a Global Admin or System Manager, enforce 2FA for all users by doing the following:

  1. Log in to the ER2 Web Console.
  2. Go to the Settings > Security > Login Policy page.
  3. Under the Account Security > Two-factor Authentication section, set the toggle button to On to enforce 2FA for all users.
    Two-factor Authentication toggle button set to "On" to enforce 2FA for all users.

All users will be prompted to set up 2FA authentication the next time they sign in.

Set Up 2FA

To set up 2FA for your user account, you must have a two-factor authenticator app that supports time-based one-time password (TOTP) installed on your mobile device. For example:

  • Google Authenticator
  • LastPass Authenticator
  • Microsoft Authenticator
  • Authy

Once installed, do the following:

  1. In the Web Console, open the Setup Two-factor Authentication dialog box by doing one of the following:
    1. When enabling 2FA for your own user account, click the Setup 2FA button that appears next to the Enable Two-factor Authentication (2FA) toggle button; or
    2. If 2FA has already been enabled but not set up for your user account, you will be prompted to set up 2FA the next time you sign in. When prompted to set up 2FA, click Proceed.
  2. Launch the authenticator app on your mobile device.
  3. In Google Authenticator, Add an account and select Scan a barcode.
  4. Scan the QR Code displayed on the Setup Two-factor Authentication dialog box.
  5. Verify that 2FA has been correctly set up by entering the 6-digit code displayed on Google Authenticator into the Enter Code field.
  6. Click Continue to complete the setup.

The next time you sign in, ER2 will ask you for your 2FA code.

Label Format for 2FA Accounts

From ER 2.0.29, authenticator apps have the following label format for all accounts setup with 2FA.

  1. For user accounts manually added in ER2: Enterprise Recon (<master_server_identifier>) (<user_name>@<master_server_host_name>)
  2. For user accounts imported using the Active Directory: Enterprise Recon (<master_server_identifier>) (<user_name>@<domain>)

For example, Enterprise Recon (117b92a9) (userA@er-master), where

  • 117b92a9 is the unique identifier for a specific Master Server instance. This unique identifier is displayed on the login screen when ER2 prompts you for the 2FA code.
    Example of unique Master Server identifier "117b92a9" displayed in the login screen for 2FA-enabled users.
  • userA is the user name.
  • er-master is the host name for the Master Server instance.

Reset 2FA

As an individual user, you can reset 2FA for your own user account by doing the following:

  1. Log in to the ER2 Web Console.
  2. Go to the [Username] > My Account page.
  3. In the Account Information tab, click Setup 2FA to set up your authenticator device again. Reset Two-factor Authentication (2FA) for own user account by clicking Setup 2FA in My Account Details page.

As a Global Admin or System Manager, reset 2FA for single user account by doing the following:

  1. Log in to the ER2 Web Console.
  2. Go to the Users > User Accounts page.
  3. Click Edit for the selected user.
  4. In the User Information tab, click Reset 2FA for the user to set up the authenticator device again.
    Reset Two-factor Authentication (2FA) for individual user accounts by clicking Reset 2FA in User Details page.
  5. Click Save.