Registration process

In addition to user name and password, you can choose to enable two-factor authentication.

The option to enable is available from the top-right user menu:

Once you choose to enable two-factor authentication, you will be presented with a QR code that can be scanned with an authenticator application. An input field for a 6-digit code is also displayed. The QR code is in the format defined by Google for Google Authenticator, but this format also works with many other authenticator apps. The QR code has been verified to work with the below authenticators (but will probably work with many more):

• Google Authenticator

• Microsoft Authenticator

• Pointsharp Authenticator

• Authy

After successfully scanning the barcode and registering it on the authenticator app, enter a 6-digit code from the authenticator to verify that everything is working correctly. If the code is validated successfully then the registration process is complete and future logins will require a 6-digit one time password in addition to the normal password.

Note that two-factor authentication should only be enabled for human users. It is not meaningful to have two-factor authentication on user accounts for web-service access. A long randomly generated password should be used for such users.

Login flow

When two-factor authentication is enabled, the login process starts as normal with user name and password entry. If username and password is valid and two-factor authentication is enabled then either of this will happen:

• If you are not remembered on the device, you are asked to enter a 6-digit one-time password as below: 
   
  At the same time you can choose to be remembered on the device (typically meaning the browser). If you have entered a correct one-time password, you are then logged in.
  

• If you have previously chosen to be remembered on the device, no one-time password is requested and you are just logged in.

If you have access to multiple tenants, then the 6-digit one-time password entry will be on the same screen as the tenant selection. If you only have access to a single tenant, it is a separate screen.

The remember me function has an expiry time of 50 days, so when you have chosen to be remembered, you will be asked for a one-time password again 50 days later.

If you are using multiple usernames, then only one will be remembered on each device. If you try to enable remember me on multiple user names, only the last one will be remembered.

Forgetting remember me

When you have enabled remember me on one or more devices, you can also choose to either forget the device you are currently logged in on, or forget all remembered devices.

This option is available as an option from the top-right user menu:

Administrative disabling of two-factor authentication

If a user have lost his authentication device and is unable to log in, it is possible, as a last resort, to disable the two-factor authentication by modifying a system file/database table.

In the default configuration with embedded database, user information is stored in the file profiles/default/users.json. A person who has access to the file system can disable two-factor authentication for a user by removing the “otpKey” entry for that user or setting the value of “otpKey” to empty string.

In the configuration where user information is stored in an external database, it requires changes to the table “interformuser” in the system schema. To disable two-factor authentication for a user, set the column “otpKey” to null for that user. For instance if the user is called “ifuser@interform400.com”, this SQL can be used (MySQL format, may vary on other databases. Also assumes that “data_” is used as schema prefix in the configuration):

UPDATE data_.interformuser SET otpKey=null WHERE username='ifuser@interform400.com';

In both cases, the InterFormNG2 service should be restarted for the change to take effect.