Two-Factor Authentication

Enterprise Edition

This feature is available in the Enterprise Edition only
Starting from version 4.0, SynaMan supports Two-Factor Authentication (2FA for short), which improves security by requiring a second form of identification besides the password.

SynaMan support two mechanisms for 2FA:
  • Email - System will generate a six-digit code sent via email to a designated address. User must enter that code before continuing.
  • Time-based one-time temporary password (TOTP) - TOTP is an algorithm that computes a one-time password, which is typically displayed on a mobile device owned by the user. Examples of such apps are Google Authenticator and/or Microsoft Authenticator. These apps are available for Android as well as iOS devices.

Enabling 2FA

When a non-admin user connects to SynaMan's web interface, they will see a link for Two-Factor Authentication towards the lower right-hand corner. Following page will allow the user to pick either TOTP or Email based 2FA.

Note

2FA is only available for non-admin users. This is done by design avoid getting locked out of the admin account. A better way to secure access to the admin account is to restrict logins from localhost.
Using TOTP
Using TOTP requires you install an app on your mobile device that supports this algorithm. Both Android and iOS have many apps on their store that can be used. Two such applications are Google Authenticator and Microsoft Authenticator.

SynaMan will display a QR Code that can be scanned by the app on your mobile device. Scanning this code will add an entry on your device and will display a 6 digit code that will change every 30 seconds.

Very Important

Since TOTP is a time-based algorithm, it is very important the time on the machine is accurate. We strongly recommend synchronizing the machine time with a time server on the Internet.

Enforcing 2FA

By default, using 2FA is not mandatory, and a user must enable this for their account. However, administrators can enforce 2FA for every account. Following steps demonstrate how to make 2FA mandatory for every user account:
  • Log in as admin and click Configuration
  • Select the Security tab
  • Check Mandatory 2FA and save settings
The system will use the email mechanism to enforce 2FA - meaning a code will be sent to a designated email address. End-users can switch this to TOTP if desired. A valid email address MUST be associated with every user for this to work. If users in your system are inherited from an AD, you will see an additional field in the User Modification screen allowing you to add an email address.

Temporarily Disabling 2FA

Administrators can temporarily disable 2FA for any user, which comes in handy if a user gets locked out. This is done from User Management screen when logged in as admin. Click the green icon for the desired user to disable 2FA temporarily.

Navigation

Social Media

Powered by 10MinutesWeb.com