Configuring multi-factor authentication
Multi-factor authentication is a type of authentication which requires a user’s identity to be verified by more than one method. This technique adds another layer of security for the sign-ins to the system.
Kentico uses the combination of classical forms authentication with username and password and one other authentication factor. You can either use the provided out-of-the-box solution, which uses a mobile phone application as the second authentication factor, or you can implement your own customized solution:
- Forms authentication with a mobile application
- Forms authentication with a custom authentication factor (e-mail, SMS, etc.)
Security and limitations
The multi-factor authentication is:
- Available only for the default forms authentication method.
- Not compatible with the Autocomplete functionality.
For security reasons, it is recommended to set Maximum invalid logon attempts to a small value, for example 5. Because incorrectly submitted passcodes count as invalid logon attempts, a potential attacker will not be able to guess a valid passcode in the specified number of attempts.
If screen locking feature is enabled, entering passcode is also required when unlocking the screen.
Multi-factor authentication using forms and mobile application
The multi-factor authentication method provided by Kentico uses a mobile application, Kentico Authenticator, to generate a special passcode, which the users type to a form when signing in to Kentico. When a passcode expires, the users can use the mobile application to generate a new one. During the first sign-in, the users are required to pair the mobile application with their user profiles in the system using a generated token ID.
When a user wants to sign in to the system, the multi-factor authentication mechanism is executed in the following way:
- A user wants to sign in and enters username and password.
- The system verifies the information, displays a token ID and requests a passcode.
- The user opens the Kentico Authenticator application on the mobile phone and types the token ID in.
- When the user submits the token ID, the application generates a passcode.
- The user types the passcode into the authentication web form.
- The system authenticates the user.
The next time the user wants to sign in to the system, the authentication token ID is not required any more. The user only uses the application to generate a new passcode and types the passcode into the web form.
You can download the Kentico Authenticator application for Android devices.
Resetting user’s token ID
Users need to type the token ID generated during the first sign in after the registration into their Kentico Authenticator mobile application. If they do not manage to do this, they will not be able to log in with their user profiles.
If such situation happens, you can reset their token ID in the Users application -> edit a user -> General tab using the Reset token ID button.
Enabling multi-factor authentication and configuring the related settings
The multi-factor authentication settings have global effect. They cannot be configured for individual sites.
Enabling multi-factor authentication for only selected users
- Enable the multi-factor authentication in Settings -> Security & Membership -> Authentication by selecting the Enable multi-factor authentication option.
- When you select this option, users will be able to choose if they want to use multi-factor authentication for signing in to your website. They can set this behavior when they register on the site through the Registration form web part.
- Set the Multi-factor authentication is required option on the Users application -> General tab of the selected users profiles.
- Existing users with this option selected will be required to use multi-factor authentication for signing in to your websites.
Enabling multi-factor authentication for all users in the system
Keeping the administrator access
After you enable the multi-factor authentication globally, make sure that you do not lose the administrator access to the Kentico interface. The next time you sign in to the administration interface, do not forget to note down the Token ID for your account.
The system will not display the Token ID again. Therefore, if you do not note it down or submit it into the Kentico Authenticator application, you will lose access to the administration UI.
To enforce using of an additional security level for authenticating all users in the system:
- Enable the multi-factor authentication in Settings -> Security & Membership -> Authentication by selecting the Enable multi-factor authentication option.
- Select the Multi-factor authentication is required globally option.
- All users will have to use multi-factor authentication for signing in to your websites.
- The Multi-factor authentication is required option on the Users application -> General tab will now have no effect.
Recovering administrator access
If you enable multi-factor authentication globally and lose access to your administrator account (token ID is not displayed when signing in or you did not note it down), you can gain the access back by inserting the CMSAdminEmergencyReset key to the appSettings section of your web.config. For example:
<add key="CMSAdminEmergencyReset" value="admin;password;true" />
- admin - this value specifies the user name of the new account.
- password - this value specifies the password for the new account – you should change it to your own value.
- The third parameter is optional and indicates whether you want to create a new user with the Global administrator privilege level.
- The key will be automatically deleted after you gain access to the user interface.
Notes
Keep the Display initialization token option selected, if you want to use the out-of-the-box option (combination of the forms authentication and the mobile application). Clear the check-box, if you plan to implement your own customized solution.
See Settings - Authentication.
Allowing users to enable or disable multi-factor authentication in their profiles
When you or new users enable the multi-factor authentication for their profiles, they will not be able to change this setting. If you want to allow them to disable the multi-factor authentication for their profiles:
- Open the Modules application.
- Edit Membership -> Classes tab -> edit User -> Alternative forms tab -> edit Edit profile -> Fields tab.
- Select UserMFRequired field in the list.
- Select Display field in the editing form check-box.
Users will now have an option to disable the multi-factor authentication.