Two-factor OATH authentication with Google Authenticator
Google Authenticator generates verification code as a dynamic component to increase account security.
In order to configure OATH as an active authentication method for a user, follow the steps:
- Select Management > Users.
- Find and click the user for whom you want to add the OATH authentication method.
- Scroll down to the Authentication section.
- From the Type drop-down list, select
OATH
. - Choose the first factor:
Password
orExternal authentication
. - If
Password
is chosen, enter password’s static part. IfExternal authentication
, select External authentication source. - From the Token type field, select
TOTP (time-based)
orHOTP (counter-based)
. - Enter a secret that will be used by Google Authenticator. Note, that the secret must be a Base32 encoded value. Alternatively, click the cog icon to generate it automatically. Click to show the QR code.
- Provide the Token length and Time step if selected Token type is
TOTP (time-based)
.
The Initialized option serves for the user’s initialization via the QR code. When their static password as a First factor setting is filled or External authentication source if configured, the QR code is displayed during their first connection. After successful first authentication the Initialized option becomes checked and takes uneditable state.
- Click Save.
- Launch Google Authenticator and add new service. Configure it manually, or use the QR code:
for Manual entry:
- Select Enter a provided key.
- Enter account name.
- Enter the secret defined in OATH authentication method.
- Select Token type.
- Select ADD.
with QR code:
- Click the QR-code icon on the user configuration form, next to the Secret field in the Authentication section.
- Select Scan a barcode in Google Authenticator.
- When logging in, the password string consists of a static password defined in the authentication method and dynamic part generated by the Google Authenticator, e.g.
password481418
.
Updated about 2 years ago