Two-Factor Authentication (2FA)
Passportal supports multiple forms of two-factor authentication (2FA) for users accessing the system.
Passportal supports the following methods:
- Push Notification integrations with Duo Security
- Integration with AuthAnvil
- One-Time Passcode (OTP) generators such as Duo Mobile, Google Authenticator, or Microsoft Authenticator
- Native email, text, phone call service.
Enabling 2FA in your organization will not enable 2FA for your Site Users. Each Site has its own ability to enable 2FA, and configure their own individual preferences.
To enable and configure 2FA within Passportal:
- Navigate to Settings > General.
- Select the Two-Factor Authentication tab.
- Set the Enable 2FA toggle on. The 2FA method options are shown.
- Select the 2FA Communication Method from the dropdown menu.
- Toggle the Allow Users to Change Method of 2FA Communication Method Off or On as required. If enabled, users can change their 2FA method in their profile settings.
- Toggle the Force All Users On 2FA if you wish all users to require 2FA when logging into Passportal.
- Click Save when all settings are set as required.
If you already have an MSP account with Duo Security you can set up Passportal as an application and utilize Duo Push and the Duo Browser Based Authentication Prompt.
If you don’t have a Duo MSP account, Passportal has partnered with Duo Security to provide 50 free internal use licenses to Passportal partners who also sign up for Duo’s MSP program. Click here to claim your free licenses.
If you do not have, or do not want a Duo security account, you can still utilize Duo Push with Passportal. Simply select Duo from the drop down and your users will be shown a QR code at their next login that they can use after downloading Duo Mobile from their respective app store. Passportal is your Duo administrator in this scenario.
To Use Your Existing Duo Integration
Please ensure you follow these steps carefully as you cannot undo this action
- Enable the Use your Existing Duo Integration toggle.
- The Duo API Information fields are now displayed, along with the below directions and links in relation to Duo's API support documentation.
- If you are not using an email address as the username, ensure that the email address is imported as an Alias for each user using the Duo Admin API. For more information, please see Duo's documentation: Duo Username Aliases Configuration Guide.
- Create two applications for Passportal in Duo, one as a WebSDK and the second as an Auth API.For more information, please see Duo's documentation: Protecting Applications.
- Ensure that you have Username Normalization set to Simple in both your Auth API and WebSDK Applications in Duo. For more information, please see Duo's documentation: Protecting Applications - Username Normalization.
- Enter the API information from the newly created applications in the appropriate fields.
- When finished, select Save.
To standardize all users on Duo Push, select the following:
- Allow Users to Change Method of 2FA Communication: Off
- Force All Users On 2FA: On
- This will standardize the workflow for all users and dictate that they use the Duo integration which you have just set up.
If you do not use this setting, you must set each User individually:
- User Management, click Edit User under the Actions column.
- Set Duo as the 2FA Type and click Save.
OTP Authenticator (Duo Mobile, Google, Microsoft, etc)
To use an OTP Authenticator:
- Select Google / Microsoft Authenticator from the drop-down and select Save.
- Users will be prompted at the next login to scan a QR code to set up the OTP Authenticator app and continue with the 2FA setup for their profile.
Duo Mobile can be used with this QR code method without needing a Duo Security paid subscription. Install Duo Mobile on the mobile device from the appropriate app store rather than the Google or Microsoft Authenticator, and scan the QR code.
If a User needs to reset the QR code, they can do so from their Edit Profile menu in Passportal. At their next login to Passportal a new QR Code will be presented for use to setup 2FA again.
If you have an existing AuthAnvil account you can integrate that service:
- Select Authanvil from the 2FA Communication Method dropdown. AuthAnvil fields are displayed.
- Enter the AuthAnvil Site ID in the appropriate filed.
- Enter the AuthAnvil SAS URL in the appropriate field.
- Click Save.
If you encounter problems with authenticating please consider the following:
- The SAS URL should be in the following format:
- Users will use Pin: 1111 by default unless otherwise configured.
- Try entering the Pin in both ahead of and behind the one-time-password if one does not work.
- The actual Pin requirement is a holdover from older on-premise configurations. AuthAnvil does not use the Pin; however, it respects the value being submitted.