Two-step verification

This section describes how you can use two-step verification to reduce the risk of unauthorized access to OSMP Console.

Scenario: Configuring two-step verification for all users

This scenario describes how to enable two-step verification for all users and how to exclude user accounts from two-step verification. If you did not enable two-step verification for your account before you enable it for other users, the application opens the window for enabling two-step verification for your account, first. This scenario also describes how to enable two-step verification for your own account.

If you enabled two-step verification for your account, you may proceed to the stage of enabling of two-step verification for all users.

Prerequisites

Before you start:

• Make sure that your user account has the Modify object ACLs right of the General features: User permissions functional area for modifying security settings for other users' accounts.
• Make sure that the other users of Administration Server install an authenticator app on their devices.

Stages

Enabling two-step verification for all users proceeds in stages:

1. Installing an authenticator app on a device

   You can install any application that supports the Time-based One-time Password algorithm (TOTP), such as:

   • Google Authenticator
   • Microsoft Authenticator
   • Bitrix24 OTP
   • Yandex Key
   • Avanpost Authenticator
   • Aladdin 2FA

   To check if Open Single Management Platform supports the authenticator app that you want to use, enable two-step verification for all users or for a particular user.

   One of the steps suggests that you specify the security code generated by the authenticator app. If it succeeds, then Open Single Management Platform supports the selected authenticator.

   We strongly do not recommend installing the authenticator app on the same device from which the connection to Administration Server is established.

2. Synchronizing the authenticator app time with the time of the device on which Administration Server is installed

   Ensure that the time on the device with the authenticator app and the time on the device with the Administration Server are synchronized to UTC, by using external time sources. Otherwise, failures may occur during the authentication and activation of two-step verification.

3. Enabling two-step verification for your account and receiving the secret key for your account

   After you enable two-step verification for your account, you can enable two-step verification for all users.

4. Enabling two-step verification for all users

   Users with two-step verification enabled must use it to log in to Administration Server.

5. Prohibit new users from setting up two-step verification for themselves

   In order to further improve OSMP Console access security, you can prohibit new users from setting up two-step verification for themselves.

6. Editing the name of a security code issuer

   If you have several Administration Servers with similar names, you may have to change the security code issuer names for better recognition of different Administration Servers.

7. Excluding user accounts for which you do not need to enable two-step verification

   If required, you can exclude users from two-step verification. Users with excluded accounts do not have to use two-step verification to log in to Administration Server.

8. Configuring two-step verification for your own account

   If the users are not excluded from two-step verification and two-step verification is not yet configured for their accounts, they need to configure it in the window that opens when they sign in to OSMP Console. Otherwise, they will not be able to access the Administration Server in accordance with their rights.

Results

Upon completion of this scenario:

• Two-step verification is enabled for your account.
• Two-step verification is enabled for all user accounts of the Administration Server, except for user accounts that were excluded.

About two-step verification for an account

Open Single Management Platform provides two-step verification for users of OSMP Console. When two-step verification is enabled for your own account, every time you log in to OSMP Console, you enter your user name, password, and an additional single-use security code. To receive a single-use security code, you must have an authenticator app on the computer or mobile device.

A security code has an identifier referred to as issuer name. The security code issuer name is used as an identifier of the Administration Server in the authenticator app. You can change the name of the security code issuer name. The security code issuer name has a default value that is the same as the name of the Administration Server. The issuer name is used as an identifier of the Administration Server in the authenticator app. If you change the security code issuer name, you must issue a new secret key and pass it to the authenticator app. A security code is single-use and valid for up to 90 seconds (the exact time may vary).

Any user for whom two-step verification is enabled can reissue his or her own secret key. When a user authenticates with the reissued secret key and uses it for logging in, Administration Server saves the new secret key for the user account. If the user enters the new secret key incorrectly, Administration Server does not save the new secret key and leaves the current secret key valid for the further authentication.

Any authentication software that supports the Time-based One-time Password algorithm (TOTP) can be used as an authenticator app, for example, Google Authenticator. In order to generate the security code, you must synchronize the time set in the authenticator app with the time set for Administration Server.

To check if Open Single Management Platform supports the authenticator app that you want to use, enable two-step verification for all users or for a particular user.

One of the steps suggests that you specify the security code generated by the authenticator app. If it succeeds, then Open Single Management Platform supports the selected authenticator.

An authenticator app generates the security code as follows:

1. Administration Server generates a special secret key and QR code.
2. You pass the generated secret key or QR code to the authenticator app.
3. The authenticator app generates a single-use security code that you pass to the authentication window of Administration Server.

We highly recommend that you save the secret key (or QR code) and keep it in a safe place. This will help you to restore access to OSMP Console in case you lose access to the mobile device.

To secure the usage of Open Single Management Platform, you can enable two-step verification for your own account and enable two-step verification for all users.

You can exclude accounts from two-step verification. This can be necessary for service accounts that cannot receive a security code for authentication.

Two-step verification works according to the following rules:

• Only a user account that has the Modify object ACLs right in the General features: User permissions functional area can enable two-step verification for all users.
• Only a user that enabled two-step verification for his or her own account can enable the option of two-step verification for all users.
• Only a user that enabled two-step verification for his or her own account can exclude other user accounts from the list of two-step verification enabled for all users.
• A user can enable two-step verification only for his or her own account.
• A user account that has the Modify object ACLs right in the General features: User permissions functional area and is logged in to OSMP Console by using two-step verification can disable two-step verification: for any other user only if two-step verification for all users is disabled, for a user excluded from the list of two-step verification that is enabled for all users.
• Any user that logged in to OSMP Console by using two-step verification can reissue his or her own secret key.
• You can enable the two-step verification for all users option for the Administration Server you are currently working with. If you enable this option on the Administration Server, you also enable this option for the user accounts of its virtual Administration Servers and do not enable two-step verification for the user accounts of the secondary Administration Servers.

Enabling two-step verification for your own account

You can enable two-step verification only for your own account.

Before you start enabling two-step verification for your account, ensure that an authenticator app is installed on the mobile device. Ensure that the time set in the authenticator app is synchronized with the time set of the device on which Administration Server is installed.

To enable two-step verification for a user account:

1. In the main menu, go to Users & roles → Users & groups, and then select the Users tab.
2. Click the name of your account.
3. In the user settings window that opens, select the Authentication security tab:
   1. Select the Request user name, password, and security code (two-step verification) option. Click the Save button.
   2. In the two-step verification window that opens, click View how to set up two-step verification.

      Click View QR code.

   3. Scan the QR code by the authenticator app on the mobile device to receive one-time security code.
   4. In the two-step verification window, specify the security code generated by the authenticator app, and then click the Check and apply button.
4. Click the Save button.

Two-step verification is enabled for your account.

Scan the QR code by the authenticator app on the mobile device to receive one-time security code.

Enabling required two-step verification for all users

You can enable two-step verification for all users of Administration Server if your account has the Modify object ACLs right in the General features: User permissions functional area and if you are authenticated by using two-step verification.

To enable two-step verification for all users:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the Authentication security tab of the properties window, switch the toggle button of the two-step verification for all users option to the enabled position.
3. If you did not enable two-step verification for your account, the application opens the window for enabling two-step verification for your own account.
   1. In the two-step verification window, click View how to set up two-step verification.
   2. Click View QR code.
   3. Scan the QR code by the authenticator app on the mobile device to receive one-time security code.

      Alternatively, enter the secret key in the authenticator app manually.

   4. In the two-step verification window, specify the security code generated by the authenticator app, and then click the Check and apply button.

Two-step verification is enabled for all users. From now on, users of the Administration Server, including the users that were added after enabling two-step verification for all users, have to configure two-step verification for their accounts, except for users that are excluded from two-step verification.

Disabling two-step verification for a user account

You can disable two-step verification for your own account, as well as for an account of any other user.

You can disable two-step verification of another user's account if your account has the Modify object ACLs right in the General features: User permissions functional area and if you are authenticated by using two-step verification.

To disable two-step verification for a user account:

1. In the main menu, go to Users & roles → Users & groups, and then select the Users tab.
2. Click the name of the internal user account for whom you want to disable two-step verification. This may be your own account or an account of any other user.
3. In the user settings window that opens, select the Authentication security tab.
4. Select the Request only user name and password option if you want to disable two-step verification for a user account.
5. Click the Save button.

Two-step verification is disabled for the user account.

If you want to restore access for a user that cannot log in to OSMP Console by using two-step verification, disable two-step verification for this user account, and then select the Request only user name and password option as described above. After that, log in to OSMP Console under the user account for which you disabled two-step verification, and then enable verification again.

Disabling required two-step verification for all users

You can disable required two-step verification for all users if two-step verification is enabled for your account and your account has the Modify object ACLs right in the General features: User permissions functional area. If two-step verification is not enabled for your account, you must enable two-step verification for your account before disabling it for all users.

To disable two-step verification for all users:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the Authentication security tab of the properties window, switch the toggle button of the two-step verification for all users option to disabled position.
3. Enter the credentials of your account in the authentication window.

Two-step verification is disabled for all users. Disabling two-step verification for all users does not applied to specific accounts for which two-step verification was previously enabled separately.

Excluding accounts from two-step verification

You can exclude user accounts from two-step verification if you have the Modify object ACLs right in the General features: User permissions functional area.

If a user account is excluded from the list of two-step verification for all users, this user does not have to use two-step verification.

Excluding accounts from two-step verification can be necessary for service accounts that cannot pass the security code during authentication.

If you want to exclude some user accounts from two-step verification:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the Authentication security tab of the properties window, in the two-step verification exclusions table, click the Add button.
3. In the window that opens:
   1. Select the user accounts that you want to exclude.
   2. Click the OK button.

The selected user accounts are excluded from two-step verification.

Configuring two-step verification for your own account

The first time you sign in to Open Single Management Platform after two-step verification is enabled, the window for configuring two-step verification for your own account opens.

Before you configure two-step verification for your account, ensure that an authenticator app is installed on the mobile device. Ensure that the time on the device with the authenticator app and the time on the device with the Administration Server are synchronized to UTC, by using external time sources.

To configure two-step verification for your account:

1. Generate a one-time security code by using the authenticator app on the mobile device. To do this, perform one of the following actions:
   • Enter the secret key in the authenticator app manually.
   • Click View QR code and scan the QR code by using the authenticator app.

   A security code will display on the mobile device.

2. In the configure two-step verification window, specify the security code generated by the authenticator app, and then click the Check and apply button.

Two-step verification is configured for your account. You are able to access the Administration Server in accordance with your rights.

Prohibit new users from setting up two-step verification for themselves

In order to further improve OSMP Console access security, you can prohibit new users from setting up two-step verification for themselves.

If this option is enabled, a user with disabled two-step verification, for example new domain administrator, cannot configure two-step verification for themselves. Therefore, such user cannot be authenticated on Administration Server and cannot sign in to OSMP Console without approval from another Open Single Management Platform administrator who already has two-step verification enabled.

This option is available if two-step verification is enabled for all users.

To prohibit new users from setting up two-step verification for themselves:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. On the Authentication security tab of the properties window, switch the toggle button Prohibit new users from setting up two-step verification for themselves to the enabled position.

This option does not affect the user accounts added to the two-step verification exclusions.

In order to grant OSMP Console access to a user with disabled two-step verification, temporary turn off the Prohibit new users from setting up two-step verification for themselves option, ask the user to enable two-step verification, and then turn on the option back.

Generating a new secret key

You can generate a new secret key for a two-step verification for your account only if you are authorized by using two-step verification.

To generate a new secret key for a user account:

1. In the main menu, go to Users & roles → Users & groups, and then select the Users tab.
2. Click the name of the user account for whom you want to generate a new secret key for two-step verification.
3. In the user settings window that opens, select the Authentication security tab.
4. On the Authentication security tab, click the Generate a new secret key link.
5. In the two-step verification window that opens, specify a new security key generated by the authenticator app.
6. Click the Check and apply button.

A new secret key is generated for the user.

If you lose the mobile device, you can install an authenticator app on another mobile device and generate a new secret key to restore access to OSMP Console.

Editing the name of a security code issuer

You can have several identifiers (they are called issuers) for different Administration Servers. You can change the name of a security code issuer in case, for example, if the Administration Server already uses a similar name of security code issuer for another Administration Server. By default, the name of a security code issuer is the same as the name of the Administration Server.

After you change the security code issuer name you have to reissue a new secret key and pass it to the authenticator app.

To specify a new name of security code issuer:

1. In the main menu, click the settings icon () next to the name of the required Administration Server.

   The Administration Server properties window opens.

2. In the user settings window that opens, select the Authentication security tab.
3. On the Authentication security tab, click the Edit link.

   The Edit security code issuer section opens.

4. Specify a new security code issuer name.
5. Click the OK button.

A new security code issuer name is specified for the Administration Server.