Enable Two-Factor Authentication

Two-Factor Authentication (2FA) provides stronger security for users logging into the appliance by adding an extra step to the login process. It relies on the authenticator app to generate verification codes. The app generates a new six-digit code at regular intervals. When administrators enable 2FA on the appliance, applicable end users are prompted for a verification code each time they log in.

Start by installing the authenticator app on your mobile Android or iOS device. You can download the app from Google Play and Apple App Store.

Only users with Admin-level permissions have the ability to enable 2FA. Read-only administrators cannot manage this feature.

NOTE: Using the reset_admin_password command to reset the administrator's password also resets the 2FA token. For more information about this command, see Use the Command Line Console to reset the Administrator's password.

1.	On the left navigation pane, click Settings > Control Panel to display the Control Panel, then click Security to display the Security Settings page.

2.	On the Security Settings page, under Two-Factor Authentication, select Enable Two-Factor Authentication.

3.	Click Save.

4.	Complete the 2FA configuration on the Configure Two-Factor Authentication page that appears.

a.	Click the iOS or Android icon to display the applicable QR code.

b.	Scan app store QR code to download the authenticator app.

c.	Use the authenticator app on to scan the QR code.

The 6-digit code that appears is valid for 30 seconds. If you enable this feature, ensure that appliance server's clock is accurate, as well as the device running the authenticator app. The app relies on current time to create the token. If the server's clock is not synchronized with those of the devices running the authenticator app, token validation may fail, which may result in account lockouts.

d.	In the Verification Code field, type the 6-digit code from the authenticator app.

e.	Click Finish Configuration.

The Configure Two-Factor Authentication page closes and the Dashboard appears, indicating that you are now logged in to the appliance with the newly configured 2FA credentials.

5.	Complete additional 2FA configuration options, as applicable.

a.	On the left navigation pane, click Settings > Control Panel to display the Control Panel, then click Security to display the Security Settings page.

b.

When you enable 2FA on the appliance, only those users who have 2FA enabled can log in using this additional layer of security. To enforce 2FA for all users logging into the appliance, under Two-Factor Authentication, select Require Two-Factor Authentication for all users. This option overrides the 2FA configuration associated with individual user accounts. For more information, see Add or edit local administrator accounts.

c.

To specify the length of time during which users who require 2FA can bypass 2FA authentication, under Transition Window, specify the desired time period. This way, for example, if a user leaves their phone at home and cannot generate a new code, they can still access the appliance during the specified amount of time.

6.	Click Save.