Scenario: Configuring two-step verification for all users
This scenario describes how to enable two-step verification for all users and how to exclude user accounts from two-step verification. If you did not enable two-step verification for your account before you enable it for other users, the application opens the window for enabling two-step verification for your account, first. This scenario also describes how to enable two-step verification for your own account.
If you enabled two-step verification for your account, you may proceed to the stage of enabling of two-step verification for all users.
Prerequisites
Before you start:
- Make sure that your user account has the Modify object ACLs right of the General features: User permissions functional area for modifying security settings for other users' accounts.
- Make sure that the other users of Administration Server install an authenticator application on their devices.
Stages
Enabling two-step verification for all users proceeds in stages:
- Installing an authenticator application on a device
You can install Google Authenticator, Microsoft Authenticator, or any other authenticator application that supports the Time-based One-time Password algorithm.
- Synchronizing the authenticator application time with the time of the device on which Administration Server is installed
Ensure that the time set in the authenticator application is synchronized with the time of Administration Server.
- Enabling two-step verification for your account and receiving the secret key for your account
How-to instructions:
- For MMC-based Administration Console: Enabling two-step verification for your own account
- For Kaspersky Security Center 13.1 Web Console: Enabling two-step verification for your own account
After you enable two-step verification for your account, you can enable two-step verification for all users.
- Enabling two-step verification for all users
Users with two-step verification enabled must use it to log in to Administration Server.
How-to instructions:
- For MMC-based Administration Console: Enabling two-step verification for all users
- For Kaspersky Security Center 13.1 Web Console: Enabling two-step verification for all users
- Editing the name of a security code issuer
If you have several Administration Servers with similar names, you may have to change the security code issuer names for better recognition of different Administration Servers.
How-to instructions:
- For MMC-based Administration Console: Editing the name of a security code issuer
- For Kaspersky Security Center 13.1 Web Console: Editing the name of a security code issuer
- Excluding user accounts for which you do not need to enable two-step verification
If required, you can exclude users from two-step verification. Users with excluded accounts do not have to use two-step verification to log in to Administration Server.
How-to instructions:
- For MMC-based Administration Console: Excluding accounts from two-step verification
- For Kaspersky Security Center 13.1 Web Console: Excluding accounts from two-step verification
Results
Upon completion of this scenario:
- Two-step verification is enabled for your account.
- Two-step verification is enabled for all user accounts of the Administration Server, except for user accounts that were excluded.