Enabling the Use of One-Time Passwords
The use of one-time passwords can only be enabled while editing a Client (or editing a Client group), and is only available for Clients installed on computers running the Windows operating system.
To enable the use of one-time passwords for a Windows Client (or for all the Clients in a Client group), do the following:
1. Log in to the Management Tool as a user with the Client Configuration Management permission for Clients.
2. Click the Client Management navigation link (on the left).
3. On the Client Management page, find the Client which you want to enable the use of one-time passwords for, and click on its name in the Client Name column (or select the Client Groups tab and find the required Client group, and then click on its name in the Client Group Name column).
NOTE: To find specific Clients, the Search box and filters at the top of the Client Management page can be used (or to find specific Client groups, the Search box at the top of the Client Groups page can be used).
4. On the Editing Client (or Editing Client Group) page that opens, select the Authentication Options tab, scroll down to the Two-Factor and Secondary Authentication section, and select the Allow the use of one-time passwords checkbox.
NOTE: The "Enable secondary user authentication on login" and the "Allow the use of one-time passwords" options cannot be used together. Neither of them will function correctly if both of these checkboxes are selected.
5. In the Users Who Can Approve Access drop-down list, select all the users (i.e. Approvers) who will be able to approve one-time password access requests.
NOTE: The specified users (i.e. Approvers) will be able to process the request in either of the following ways:
• By using the link in an email (if an email address is defined for the specified users).
• On the Access Requests tab (on the Access Management page) page in the Management Tool.
By default, if a request is not processed within 30 minutes after it has been submitted, it will automatically expire (where this setting can be changed on the System Settings tab, on the Configuration page).
6. Optionally, select either or both of the following checkboxes for Active Directory or internal users to receive one-time passwords without requiring approval (by Approvers):
• Automatically send one-time passwords to Active Directory users checkbox, for a one-time password to be generated and sent automatically to the email address defined in users' Active Directory accounts, and also do the following for each required AD user:
- Define the email address for the user in the Active Directory user properties:
• Automatically send one-time passwords to internal users checkbox, for a one-time password to be generated and sent automatically to Ekran System internal users, and also do both of the following for each required internal user:
- While editing or adding the internal user, on the User Details tab, make sure that the Email address of the internal user is specified.
- While editing or adding the internal user, on the Client Access tab, make sure the internal user is granted the Access to Endpoint via Secondary Auth. permission to be able to log in.
7. Click the Finish button (in the bottom right of the page).