Two Factor Authentication, also known as two step verification, is an extra layer of security for authenticating a user. In any security system, there are three authentication factors which can be used: something the user knows, something that he owns and something that he is. Two factor authentication uses the first two: a combination of username and password (knwoledge) and a a physical token (possesion.)
In KeyRock's implementation of two factor authentication, the physical token is the users' smart phone thanks to an app. This app will, after being correctly set up, generate unique time-based passwords (also know as verification codes) that will authenticate the user in combination with the right username and password. The app needs no internet connection to generate the verification codes after being set up.
You will need to install a third party app that implements the Open MFA standards defined in RFC 4226 (HOTP: An HMAC-Based One-Time Password Algorithm) and in RFC 6238 (TOTP: Time-Based One-Time Password Algorithm).
Important
We recommend Google Authenticator.
To enable it you must log into KeyRock and head to your settings menu. A two factor section is there whith all the instructions to follow. In summary, you will need to:
- Provide a question and its answer (keep it secret!)
- Generate a new secret key
- Configure your app with this secret key using the QR Code or manually
Once two factor authentication is enabled, your loging process will have a new step. After providing your username and password you will be asked for the verification code generated by your app.
Note
For convenience, you can remember your computer and no verification codes will be asked when you log in from it. Use this option only in trusted computers.
Simply log into your account, head to settings and disable it in its respective section. Once disabled, you can log in normally in all computers.
As a security measure in case of lost or theft of the smart phone or the app, we also ask for a security question and a secret answer to be provided on the activation process. This question and answer can be used to disable two factor authentication with out need to authenticate.