Add 2FA paragraph (#479)

Co-Authored-By: Davide Principi <davide.principi@nethesis.it> Co-Authored-By: Filippo Carletti <filippo.carletti@gmail.com> Co-Authored-by: Stephane de Labrusse <stephdl@de-labrusse.fr>
NethServer · Mar 20, 2020 · d9fbb47 · d9fbb47
1 parent e68f0eb
commit d9fbb47
Showing 1 changed file with 46 additions and 1 deletion.
diff --git a/administrator-manual/en/base_system2.rst b/administrator-manual/en/base_system2.rst
@@ -237,7 +237,7 @@ The shell and the processes will run with the user privileges.
 Role delegation
 ===============
 
-On complex environments, the *root* user can delegate the access of some section
+On complex environments, the *root* user can :index:`delegate` the access of some section
 to specific groups of local users.
 
 A local user can be delegated to access:
@@ -261,3 +261,48 @@ The following pages are always accessible to all users:
 * dashboard
 * applications
 * terminal
+
+Two-factor authentication (2FA)
+===============================
+
+Two-factor authentication (2FA) can be used to add an extra layer of security required to access the new Server Manager.
+First, users will enter user name and password, then they will be required to provide a temporary verification code
+generated by an application running on their smartphone.
+
+2FA is disabled by default. Each user can enable it by accessing the :guilabel:`Two-factor authentication` section
+under :guilabel:`Settings` page, then following these steps:
+
+1. download and install the preferred 2FA application inside the smartphone
+2. scan the QR code with the 2FA application
+3. generate a new code and copy it inside :guilabel:`Verification code` field, than click :button:`Check code`
+4. if the verification code is correct, click on the :button:`Save` button
+
+Recovery codes
+--------------
+
+Recovery codes can be used instead of temporary codes if the user cannot access the 2FA application on the smartphone.
+Each recovery code is a one-time password and can be used only once.
+
+To generate new recovery codes, disable 2FA, then re-enable it by registering the application again following the above steps.
+
+Smartphone applications
+-----------------------
+
+There are several commercial and open source 2FA applications:
+
+Available for both Android and iOS:
+
+- `FreeOTP <https://freeotp.github.io/>`_: available for both Android and iOS
+- `Authenticator <https://mattrubin.me/authenticator/>`_: available on iOS only
+- `andOTP <https://github.com/andOTP/andOTP>`_: available for both Android and iOS https://github.com/andOTP/andOTP
+
+Emergency recovery
+------------------
+
+In case of emergency, 2FA can be disabled accessing the server from a physical console like a keyboard and a monitor,
+a serial cable or a VNC-like connection for virtual machines:
+
+1. access the system with user name and password
+2. execute: ::
+     rm -f ~/.2fa.secret
+     signal-event otp-save