Two-Factor Authentication


Two-factor authentication (2FA) allows you to improve the protection of critical endpoints in your network.

This Ekran System feature is available for Windows (local and Active Directory) and Linux Client computers, and supports Google Authenticator and Microsoft Authenticator (and other third-party authenticator applications), which can be installed on a mobile device or a computer.


To require endpoint users to log in to Client computers using 2FA, this feature first needs to be configured for both:

• [Required for users of Linux Client computers:] Users (by adding them individually using the Add User button on the Two-factor Authentication tab, on the Access Management page).

NOTE: Users of Windows Client computers also need to be added individually only in the (unusual) event that the Mass 2FA feature is disabled (i.e. the “Do not generate QR code automatically" checkbox is selected on the Authentication Options tab while editing the Client / Client group).

• [Required for both the Windows and Linux Client computers of the users:] Client computers (by selecting the Enable two-factor authentication checkbox while editing a Client / Client group, on the Client Management page).

NOTE: The additional Mass 2FA feature now allows automatic configuration of 2FA for all users of an individual Windows Client computer (or all the Windows Client computers in a Client group), but not currently for Linux Client computers. This means that after enabling 2FA on Windows Clients, Windows users are automatically added (i.e. by the users themselves on their next login, when they scan the QR code displayed) to the grid on the Two-Factor Authentication tab on the Access Management page, so they no longer need to be added manually.


To configure 2FA, follow the instructions below.


Configuring 2FA for Users (Manually)


[Required for users of Linux Client computers:] 2FA needs to be configured manually for each user individually (by adding them on the Access Management page).

NOTE: Although users of Windows Client computers can also be configured in this way, this step is not usually required for them now that the additional Mass 2FA feature has been implemented for them (unless the Mass 2FA functionality has been disabled by selecting the “Do not generate QR code automatically (Windows only???)” checkbox on the Authentication Options tab while editing the Client / Client group), since these Windows users will be configured automatically when these users scan a QR code which is displayed on their screen on their first login, after 2FA has been enabled on their Client computer/s (see below).


To configure two-factor authentication for a Linux (or, if required, Windows) user manually, do the following: 

1. Log into the Management Tool as a user with the administrative User Management permission.

2. Open the Access Management page, and select the Two-Factor Authentication tab, and then click the Add User button.

   

3. Configure the following options for the user in the pop-up window that opens:

• Active Directory user: Select this option for a domain user (and select the Domain, and the User login name).

NOTE: Currently, only individual users can be added, but not user groups.

• Local computer user: Select this option for a local user (and select the local Computer Name, and the User Login name).

• Ekran System user for secondary authentication: Select this option for an Ekran System user (and select the User Login name).

    

4. Click the Generate button to create a QR code (and a key displayed above it) for 2FA user access, and then copy the QR code (and the key), to send it to the corresponding user.

NOTE: After closing the pop-up window, it will not be possible for any user to view to QR code (or key) again for security reasons. 

    

5. Click the Save button, and the user is then added to the list of users displayed in the grid on the Two-Factor Authentication tab (on the Access Management page).

NOTE: As soon as a user has been added, if 2FA is also enabled on a Client computer they use (see below), then when the user first logs in, they will be required to scan the QR code (provided to them by the Management Tool user who added them above) using an authenticator app (e.g. Google Authenticator or Microsoft Authenticator), and thereafter use the app to generate a 2FA time-based one-time-password (TOTP) each time they log in.


Enabling 2FA on Client Computers


[Required for all Windows and Linux Client computers:] 2FA needs to be enabled on Client computers to require users to log in to them using 2FA.


To enable two-factor authentication on a Client computer (or all the machines in a Client group), do the following:

1. Log in to the Management Tool as a user with the Client Configuration Management permission.

2. Open the Client Management page, find the required Client / Client group, and click on its name to edit it.

3. Select the Authentication Options tab, and scroll down to the Two-Factor and Secondary Authentication section. 

4. Select the Enable two-factor authentication checkbox to enable this option.

   

NOTE: After 2FA has been enabled for the Client (or Client group), on their first login all users of the corresponding Client computer(s) will be required to scan a QR code with their authenticator app (e.g. Google Authenticator or Microsoft Authenticator), and thereafter use the app to generate a 2FA one-time password (TOTP) each time they log in.

5. [For Windows users only:] Also select the Do not generate QR code automatically checkbox in the (unusual) event that you want to disable the Mass 2FA feature, so that all Windows users (who will be required to use 2FA to log in) instead need to be first manually added on the Access Management page).

6. Click the Finish button (at the bottom of the page) to apply the changes.


Logging into a Client Computer Using 2FA


A user of a Client computer needs to log in under their Windows / Linux / Active Directory credentials, and Ekran System will then prompt them to enter a 2FA time-based one-time password (TOTP) generated using their authenticator app (e.g. Google Authenticator or Microsoft Authenticator).

NOTE: On their first login, after 2FA has been enabled for the Client (or Client group), any user of the Client computer/s concerned will be required to scan a QR code with (or enter a key into) their authenticator app (e.g. Google Authenticator or Microsoft Authenticator), and thereafter use the app to generate a 2FA time-based one-time password (TOTP) each time they log in:

• Where a 2FA user has been configured manually (see above - usually only for Linux users, but may also be for Windows users), the QR code (or the key displayed above it) needs to be provided to the user by the Management Tool user who added them.

   

• Where a 2FA user has not been configured manually (see above - only for Windows users), the QR code (and the key displayed below it) will be displayed on a user's first login after 2FA has been enabled for their Client computer.

   

NOTE: After selecting the "I have saved the code to my authenticator device" checkbox, and clicking Confirm, the user is added to the list of users displayed in the grid on the Two-Factor Authentication tab (on the Access Management page).

NOTE: The text displayed (on the left of the QR code) can be customized in the Management Tool on the Configuration page (on the Customization tab, scroll down to the Two-Factor Authentication section). 

After entering the one-time password generated by their authenticator app, and then clicking OK, the user will then be logged into the Client computer (and be automatically added to the list of users displayed on the Two-Factor Authentication tab on the Access Management page).

NOTE: If a user cannot generate a 2FA one-time password (TOTP) themselves (any time after they have initially scanned the QR code), they can instead contact a Management Tool user to request that the current one-time password (which changes every 30 seconds) be provided to them.

NOTE: For a user to be authenticated using 2FA, the system time and the time zone on the Ekran System Application Server and on the user’s device must be synchronized.


Managing 2FA Access for Users


The list of users with 2FA configured is displayed in the grid on the Two-Factor Authentication tab (on the Access Management page), where their 2FA access can be managed by a Management Tool user with the Client Configuration Management permission and administrative User Management permission as follows:

• Click Show next to any user to view their current one-time password (i.e. the same as that generated on the user's authenticator app, which changes every 30 seconds) - which may be useful in case a user cannot generate a one-time password by themselves (e.g. they do not have access to their phone).

• Click Delete next to any user to remove them from the 2FA grid (or the Delete All column header to remove 2FA for all users in the list), after which they will again be required to scan a QR code using (or copy the key below it into) an authenticator app on their next login - which may be useful (e.g. if the user has lost their old phone, and replaced it with a new one).

NOTE: So that the user is no longer required to (scan a QR code or) enter a 2FA one-time password on login, 2FA also needs to be disabled on the user's Client computer/s (by clearing the "Enable two-factor authentication" checkbox while editing the corresponding Client(s) / Client group(s) on the Client Management page.

NOTE: If the corresponding Client computer is offline when any user is deleted from the grid, the "Enable two-factor authentication" checkbox (while editing the Client / Client group on the Client Management page) first needs to be cleared and then selected again, before the user will be able to log in using 2FA again.

• Click the Add User button (as described above) to add individual users manually who will be required to use 2FA to log in (and will need to be sent the QR code manually). This method needs to be used only for Linux users, as they are not currently supported by the additional Mass 2FA feature.

NOTE: This method of manually adding individual users (who will be required to use 2FA to log in) only usually needs to be used for Linux users, as they are not currently supported by the additional Mass 2FA feature. However, this method also needs to be used to manually add Windows users in the unusual event that the Mass 2FA feature is disabled (i.e. if the “Do not generate QR code automatically (Windows only???)” checkbox is selected on the Authentication Options tab while editing the Client / Client group).