ALIF: Two Factor Authentication (2FA)

Overview

Introduced in AIM v5.10, two-factor authentication (2FA) requires two forms of identification for users to log in to the OSD and administrators into the AIM's web interface. To log in, the user will be challenged with entering their password and a time-based 'One Time Password' (OTP), generated with an authenticator application, like Microsoft's and Google Authenticators. A new OTP is generated every 30 seconds. This feature is optional and can be enabled on an individual basis.

Enabling 2FA

Log in to the AIM's web interface and navigate to the Users page. There are several ways of enabling 2FA for users, except the anon and api_anon user accounts.

Option 1

In the 2FA column for each user is a tick box. When the state of the tick box changes, an Apply button will appear at the bottom. Clicking the Apply button will save the changes.

Option 2

At the bottom of the Users list are two buttons, Enable 2FA for All Users and Disable 2FA for All Users. Clicking either of these options will affect all the users accordingly.

Option 3

When you edit a user, you can set the Require Password option and use Keep Existing Password + 2FA OTP

Setting up 2FA on the AIM User Interface

For users with administrator access, after 2FA has been enabled and you have logged into the AIM web interface using your password, you will be presented with a setup screen similar to below:-

On the page will find the following elements:-

• A QR code that you need to set up the Authenticator application.
• The Recovery code. This is a one-time unique password that you should copy and store somewhere securely. This code can be used to login should you have problems using the OTP.
• The date and the time period where the OTP password generated from the Authenticator will be valid, Whilst the authenticator application changes the code every 30 seconds. the AIM will allow login provided that the OTP code is valid between these times. By default this is a 2-minute period, however, this can be changed under Dashboard -> Settings -> General and changing the 2FA OTP Window time. This can be set between 1 and 9 minutes.
• An OTP text box to enter the code that is generated from the Authenticator application.

Setting up the Authenticator

Many applications support time-based One Time Passwords, these include Google Authenticator, Microsoft Authenticator, and Authy to name but a few. They are typically installed on your mobile phone and use the same standard algorithm to generate the codes. The following instructions demonstrate how to configure this in Microsoft Authenticator on Android.

• Install and open the Microsoft Authenticator
• Click on the + symbol at the top to add an Account.
• From the list of options choose Other account
• Using the Camera, scan the QR Code
• You should now see an entry in the Authenticator list called AIM Authentication_ followed by the user name.

Completing the Setup

• Using the Authenticator, now open the AIM Authentication and enter the OTP that it gives you into the AIM.
• Press Verify & Commit
• Provided that the OTP code is accepted, you will now need to use the OTP every time you login.

Logging into the AIM web interface

The next time you login into the AIM you will just see the following screen without the QR Code etc:

If you enter an incorrect OTP, you get an opportunity to enter it again, and you can use the one-time recovery password to login too. Entering the Recovery code and clicking Disable 2FA will turn the feature off.

Setting up 2FA for a User on the OSD

After 2FA has been enabled, the first time a user raises and logs into the OSD they will need to setup their time-based One Time Password (OTP).

Setting up the Authenticator

• Install and open the Microsoft Authenticator
• Click on the + symbol at the top to add an Account.
• From the list of options choose Other account
• Using the Camera, scan the QR Code
• You should now see an entry in the Authenticator list called AIM Authentication_ followed by the user name.

Completing the Setup

• Using the Authenticator, now open the AIM Authentication and enter the OTP that it gives you into the OSD
• Press Verify
• Provided that the OTP code is accepted, you will now need to use the OTP every time you login.

Logging into the OSD

The next time you login into the OSD you will just see the following without the QR Code. Re-generating the code will automatically suspend the account, requiring intervention by an administrator to unsuspend it. However, this will enable the user to create a new code in the Authenticator application to login.