Loading...

Multi-Factor Authentication

Multi-Factor Authentication (MFA) is provided by MFAStack® as an add-on, enabled within AuthStack.

Introduction

MFA within AuthStack operates at two different levels, depending on the license type.

  • MFA for Administrators Only
  • MFA for Administrators, plus SSO Users

AuthStack supports MFA for administrators with only the AuthStack license, however you will need to purchase an MFAStack add-on license in order to support MFA for SSO users. You can upgrade your license from within your Customer Portal.

Types of MFA Keys

There are 5 different types of MFA key which can be added to an account. 3 are hardware keys and 2 are software based keys.

Key Type Details
FIDO U2F Hardware U2F is an open authentication standard that enables internet users to securely access any number of online services, with one single device, instantly and with no drivers, or client software needed
Yubikey OTP Hardware Yubico OTP is a simple yet strong authentication mechanism that is supported by all YubiKeys out of the box
Yubikey OATH-HOTP Hardware HOTP works just like OTP, except that an authentication counter is used instead of a timestamp. The advantage of this is that HOTP devices requires no clock
Authenticator (time-based) Software Setup this OTP software key using Google Authenticator, FreeOTP or similar tools supporting this protocol
Authenticator (counter-based) Software Setup this OTP software key using Google Authenticator, FreeOTP or similar tools supporting this protocol


What is the right type of MFA key to use?

That depends on each individual requirement, but our preferred options are FIDO U2F for hardware keys and Authenticator (time-based) for software.

U2F provides the strongest from of security, but is only officially supported in Chrome at this time. If you wish to use browsers other than Chrome we recommend Yubikey OTP. You can read more about U2F over at the Yubico website.

For software based keys, Authenticator (time-based) provides the most robust key type. Within your app store, search for Google Authenticator or FreeOTP to install.

Some Yubico hardware keys require information which can only be obtained using the Yubikey Personalisation Tool. We will cover that in a separate topic.

Looking to buy hardware keys? Contact us for a quotation.

Adding a software MFA key

Once you are logged in to AuthStack, navigate to My Profile and Multi-Factor Authentication. Ensure Multi-Factor is enabled and then select the key type.

Setting up with Google Authenticator using Authenticator (time-based) key

file

  1. Download Google Authenticator from your App Store
  2. Open Google Authenticator and press the plus button in the bottom right ( + )
  3. Tap Scan a Barcode
  4. Within AuthStack, click the Authenticator (time-based) key
  5. Add a title which describes the device you are adding the MFA key to, such as John's Samsung Galaxy S6
  6. Click Add, then a barcode will appear. Scan this barcode with your phone
  7. Locate your new account within the Google Authenticator app, it will be displaying a random 6 digit code
  8. Enter this code into the confirmation box within AuthStack, then click Confirm
  9. Ensure you enter the code quickly and press Confirm before the timer runs out. Otherwise your One-time password will be invalid, as it has a 30 second life time
  10. You're done, MFA has now been enabled on your account. You will see the new key within your associated security keys.

Log out and log back in again to try your new MFA key.

The counter-based system works in the same way, except you must request a new counter by tapping on the MFA key within the application. A counter has no set time limit and can only be used once. The downside of counter based OTP is that it is possible to go out of sync with the server if you generate OTPs and do not use them.

Adding a hardware U2F key

Adding a hardware U2F key is the most simple of the hardware keys, since the private key is stored on the device itself and the connection to the key occurs through the Chrome browser. There is no need to setup the key within the Yubico Personalisation tool. Simply plug'n'play.

  1. Select the U2F (Universal 2nd Factor) option within the Multi-Factor Authentication screen
  2. Enter a title for the key which will help you to identify it
  3. Enter a serial number (if applicable) - you can usually find this on the back of the device. Some keys do not have serial numbers.

file

An example of a Yubikey serial number can be seen above.

file

  1. Click Add, then you will be prompted to plugin your U2F key and press touch pad when the device is flashing. Please note there is a timeout, you must press within a few seconds. If the device stops flashing and/or fails to pair, simply click Cancel and Add again, then repeat the process.

file

Once the pairing is completed you will be prompted that the key has been added.

That's it, the MFA device is ready to use. You can see the new key within your associated security keys list.

file

Adding a hardware OTP key

AuthStack supports Yubico OTP and Yubico OATH-HOTP hardware OTP options. Both require configuration using the Yubikey Personalisation Tool.

Please download and install the Yubikey Personalisation Tool, then open the tool and insert your Yubikey. Yubico are updating the tool so it's best to periodically check if you are running the latest version. Once the tool is open it will connect to the YubiKey and display various details, such as serial number and features which are supported.

Configuring Yubico OTP

  1. Click Yubico OTP
  2. Click Quick
  3. Click Configuration Slot 1
  4. Click Regenerate to create new values
  5. Untick Hide values
  6. Click Write Configuration
  7. A popup will open, save your key settings to a secure location
  8. A message will appear in the tool showing Configuration saved successfully
  9. Enter the values from the Yubikey Personalisation Tool into the YubiKey OTP box

Click the image to load high-res version

Make sure you have written the configuration to the Yubikey before continuing.

Once you have completed all the fields, focus the OTP Generated by Yubikey field and then press the touch pad on the Yubikey itself to emit an OTP.

file

If everything was completed successfully your key will be added.

file

Adding a hardware OATH-HOTP key

AuthStack supports Yubico OTP and Yubico OATH-HOTP hardware OTP options. Both require configuration using the Yubikey Personalisation Tool.

Please download and install the Yubikey Personalisation Tool, then open the tool and insert your Yubikey. Yubico are updating the tool so it's best to periodically check if you are running the latest version. Once the tool is open it will connect to the YubiKey and display various details, such as serial number and features which are supported.

Configuring Yubico OATH-HOTP

  1. Click Yubico OATH-HOTP
  2. Click Quick
  3. Click Configuration Slot 1 or Slot 2 if you already have configured Slot 1 with another OTP type
  4. Click Generate MUI to create new values
  5. Untick Hide secret
  6. Click Write Configuration
  7. A popup will open, save your key settings to a secure location
  8. A message will appear in the tool showing Configuration saved successfully
  9. Enter the values from the Yubikey Personalisation Tool into the YubiKey OTP box

Click the image to load high-res version

Make sure you have written the configuration to the Yubikey before continuing.

Once you have completed all the fields, focus the OTP Generated by Yubikey field and then press the touch pad on the Yubikey itself to emit an OTP.

Please note, if you write to configuration slot 2, you generate an OTP by holding your filter on the touch pad. Just touching the pad briefly will use configuration slot 1.

file

If everything was completed successfully your key will be added.

file

Removing an MFA key

To remove an MFA key assigned to your account, press the red bin icon within the associated security keys.

file

Disabling MFA from CLI

If you have lost your device and cannot login, you can use the authstack-ctl CLI tools to disable MFA for any account which will let you login, re-enable from the GUI and remove the MFA key.

Run the following command:

authstack-ctl user:mfa-disable 1

Where 1 is the User ID of your account.

You can locate your User ID by listing administrator users:

authstack-ctl admin:list

Previous Article

Centralised Logging

We're happy to talk

Our offices are open 8.30am - 7pm GMT, Monday to Friday - but you can always contact us via email. When we receive your email during opening hours, we aim to respond within 30 minutes or less. Should your email reach us out of hours, we will contact you when the office re-opens.

You can contact us using live chat