Settings - Two-Factor Authentication (2FA)
Passportal supports multiple forms of two-factor authentication (2FA) for users accessing the system.
Currently, we support Push Notification integrations with Duo Security, an integration with AuthAnvil, One-Time Passcode (OTP) generators such as Duo Mobile, Google Authenticator, or Microsoft Authenticator, as well as native email, text, phone call service.
Enabling 2FA in your organization will not enable 2FA for your Site Users. Each Site has its own ability to enable 2FA, and configure their own individual preferences.
- To enable and configure 2FA within Passportal, select Settings > General.
- Select the Two-Factor Authentication tab and toggle Enable 2FA to see the options available.
If you already have an MSP account with Duo Security you can set up Passportal as an application and utilize Duo Push and the Duo Browser Based Authentication Prompt.
If you don’t have a Duo MSP account, Passportal has partnered with Duo Security to provide 50 free internal use licenses to Passportal partners who also sign up for Duo’s MSP program. Click here to claim your free licenses.
If you don’t have, or want, a Duo security account, you can still utilize Duo Push with Passportal. Simply select Duo from the drop down and your users will be shown a QR code after their next login they can use after downloading Duo Mobile from their respective app store. Passportal is your Duo administrator in this scenario.
To Use Your Existing Duo Integration
Please ensure you follow these steps carefully as you cannot undo this action
- If you are not using an email address as the username, ensure that the email address is imported as an Alias for each user using the Duo Admin API. Need help?
- Create two applications for Passportal in Duo, one as a WebSDK and the second as an Auth API. Need help?
- Ensure that you have Username Normalization set to Simple in both your Auth API and WebSDK Applications in Duo. Need help?
- Enter the following information from the newly created applications below:
- When finished, select Save
To standardize all users on Duo Push, select the following:
- Allow Users to Change Method of 2FA Communication: Off
- Force All Users On 2FA: On
- This will standardize the workflow for all users and dictate that they use the Duo integration which you have just set up.
- If you do not use this setting, you must go to each User individually under User Management, click Edit User under the Actions menu on the right.
- Then select Duo as their Two Factor Type and click Save
OTP Authenticator (Duo Mobile, Google, Microsoft, etc)
To use an OTP Authenticator select Google / Microsoft Authenticator from the drop-down and select Save.
You will be prompted next login to scan a QR code to set up your OTP Authenticator app and continue with the setup.
Duo Mobile can be used with this QR code method without needing a Duo Security paid subscription. To set up Duo Mobile as a standalone authenticator app, Please Click Here to install the app for use in Passportal.
If you need to reset the QR code, Click on Edit Profile under your name in the top right corner and you will be able to click Reset QR Code. Once clicked it will notify you that it has been reset and will be prompted to set up again at next login.
- If you have an existing AuthAnvil account you can integrate their service by selecting the Enable Authanvil toggle and entering your AuthAnvil SAS URL and AuthAnvil Site ID in the input boxes provided.
- When you are finished, select Save.
If you encounter problems with authenticating please try the following:
- The SAS URL will be in the following format: https://Company.my.authanvil.eu/AuthAnvil/sas.asmx
- Users will use Pin: 1111 as default unless otherwise configured
- Try entering the Pin in both ahead of and behind the one-time-password if one does not work
- The actual Pin requirement is a holdover from older on-premise configurations. AuthAnvil does not use the Pin; however, it respects the value being submitted.
Passportal also offers 2FA authentication codes that can be sent via text message, email, and phone call.
When you are finished, select Save.
Configuring Additional 2FA Settings
- To enforce a specific method of 2FA, select the desired method from the provided drop-down box and toggle Allow Users to Change 2FA Communication to No.
- To allow users to be able to change their method of two-factor authentication, change the Allow Users to Change 2FA Communication to Yes. If enabled, users can change their two-factor method in their profile settings.
- To enforce 2FA authentication for all users, select Yes on the Force All Users On 2FA toggle. Otherwise, to make two-factor authentication an opt-in system, select No on the Force All Users on 2FA toggle.
- To change the expiration time of the two-factor authentication code, use the 2FA Passcode Timeout input field and enter a custom duration time.