What is Two Factor Authentication (2FA)?
Two Factor Authentication (2FA) is a method of adding additional security to your Signagelive account and your Signagelive network when logging in. 2FA allows you to access Signagelive with a first "factor", which is your usual password that is standard for any account, and a second "factor" which is a verification code usually retrieved from an app on a mobile device or computer you have access to.
How do I require 2FA for users to access my Signagelive network?
You can enforce the use of Two Factor Authentication to be able to have access to your Signagelive network at many different levels:
Network
In order to enable 2FA at the network level, go to the Network > Edit page, and click the Two Factor Authentication tab. This tab will allow any user with the Edit Network Details permission to enable and disable 2FA on the network.
When enabling 2FA on a network, all Network Users will have their individual “Requires 2FA” attribute set to true on the main user list, meaning that if a user has not got 2FA enabled, then when trying to switch to the network they will be asked to configure 2FA. If they do not, then they will not be able to access the network.
When enabling 2FA on a network, it is possible to define how long a user can be remembered without being challenged to access the network. The options are 1, 5, 7, or 30 days.
Please Note
This setting only applies to users who have 2FA enabled.
If 2FA is enabled on the network, it can be disabled on the same Two Factor Authentication tab within the Network > Edit page. When disabling 2FA on a network, all Network Users will have their individual “Requires 2FA” checkbox set to false, meaning that users won’t need 2FA enabled when trying to switch to the network, provided the user role and user group settings don’t override users' individual settings.
Users
It is possible to define against individual users, custom roles and user groups that they must or must not use 2FA when accessing the Network, no matter if 2FA is enabled or disabled at the network level.
A new “Requires 2FA” checkbox has also been added to the new user modal and the user details page, which allows deciding if users who are not in a group are required to use 2FA or not to access the network. When enabling the “Requires 2FA” checkbox on a user, the “Requires 2FA” attribute will be set to true for the user.
This way it will be possible for specific users to be able to still access a network without 2FA if the network has it enabled by disabling their “Requires 2FA” checkbox, or will require 2FA even if the network has it disabled, by enabling their “Requires 2FA” checkbox. If a user is a “federated user” and therefore uses SSO to log in, the 2FA configuration section will not display in their details as their login process is managed from the SSO service.
Custom Roles
Please Note
The Granular User Permissions feature is needed to be able to create custom roles. If you are looking to get Granular User Permissions enabled on your network, please contact Signagelive Support for assistance.
The “Requires 2FA” checkbox has also been added to the Role properties screen, being editable only for custom roles. All System Default roles will have the “Requires 2FA” attribute disabled.
When enabling “Requires 2FA” on a custom role, all users with the role assigned, either individually or via a user group, will have their individual “Requires 2FA” attribute set to true. Therefore, if the user has not got 2FA enabled then they will be asked to configure 2FA when trying to switch to the network. If they do not, then they will not be able to access the network.
User Groups
The “Requires 2FA” checkbox has also been added to the User Group properties screen.
When enabling “Requires 2FA” on a user group, all users added to the group will have their individual “Requires 2FA” attribute set to true, meaning that if a user has not got 2FA enabled, then when trying to switch to the network they will be asked to configure 2FA. If they do not, then they will not be able to access the network.
Please Note
User Group settings override users' individual settings.
What is the hierarchy of the different levels?
As users can be required to enable 2FA at different levels, all levels will work in the following hierarchy:
User is not in a group:
If the user “Requires 2FA” checkbox is enabled, then 2FA is required.
If the user “Requires 2FA” checkbox is disabled, but the user role “Requires 2FA” checkbox is enabled, then 2FA is required.
If both user and user role “Requires 2FA” checkboxes are disabled, then 2FA is not required.
User is in a group:
User individual settings are ignored (user and user role “Requires 2FA” checkboxes are ignored).
If the group “Requires 2FA” checkbox is enabled, then 2FA is required for all users in the group.
If the group “Requires 2FA” checkbox is disabled, but the group role “Requires 2FA” checkbox is enabled, then 2FA is required for all users in the group.
If both group and group role “Requires 2FA” checkboxes are disabled, then 2FA is not required for any user in the group.
How do I temporarily disable the 2FA requirement for users to access my Signagelive network?
The network user details also has a section for users with the “Requires 2FA” attribute set to true by any setting at any level, which allows a user with the “Set User NO 2FA required for a period” permission to set they do not require 2FA for a chosen time period. This is useful when a trusted user has lost access to the authenticator app and their recovery codes. If this has been configured, the UI will show a label detailing when this option is active until. The available time periods are:
5 minutes
10 minutes
15 minutes
30 minutes
60 minutes
Where do I check 2FA related settings for all users?
2FA related settings can be checked on the All Users report, which now contains three new columns:
“Requires 2FA” - Does the user require 2FA to access the network?
“2FA Not Required Until (UTC)” - Time until the user can access the network without 2FA.
“2FA Enabled” - Has the user enabled 2FA?
How do I know the login method for a user?
We’ve improved login related entries on the User Audit; so now it is possible to know the login method a user used to access a Signagelive network:
User logged in without 2FA enabled.
User logged in with 2FA enabled and using a verification code.
User logged in with 2FA enabled and using a recovery code.
User logged in without 2FA, allowed for a certain period.