I haven't enabled 2FA on my user profile, can I access a network which requires 2FA?
Please contact your network administrator for assistance. You may have the 2FA requirement temporarily disabled so you can access the network. We strongly recommend to configure 2FA on your user profile as 2FA adds an extra layer of security to your Signagelive account.
Can all Signagelive users configure 2FA?
All Signagelive users exceptSSO (federated) users can configure 2FA. Users who login using single-sign-on (i.e. use Active Directory, Okta, One Login) will never be challenged for a 2FA code, as their log-in process is managed from the SSO service. Therefore, if you use SSO to log in, the 2FA configuration section will not display in your profile and the Requires 2FA attribute won’t be available.
I just enabled 2FA on my user profile but still can't access a network that requires 2FA, why?
After enabling 2FA on your user profile, you'll need to log out and log back in using 2FA, providing either a verification code or a recovery code, to be able to access a network that requires 2FA.
I don’t have access to my authenticator app, how can I log in?
You can log in using the “Login using a recovery code” option on the login page when challenged. For more information, please see this article.
I’m running out of or I have lost access to my recovery codes, can I generate more?
Yes, it is possible to generate a new set of recovery codes within your user profile, and if you do this, any old unused codes will be disabled.
I’ve got 2FA configured but would like to use a different authenticator app, what do I do?
Please disable 2FA on your user profile and re-enable it using the new authenticator app, then remove the previous account from the previous app. The exact step by step process would be:
- Disable 2FA on your user profile within Signagelive (using a code from the original authenticator app).
- Once this is disabled, delete your Signagelive Account from your old authenticator app.
- Log back into Signagelive and re-enable 2FA on your user profile.
- On your new device, download an authenticator of your choice and scan the QR code shown on-screen.
- Enter a code from your new authenticator app and take notes of your the new recovery codes.
I’ve got 2FA configured but would like to use my authenticator app on a different device, what do I do?
Most common authenticator apps offer multi-device capabilities so you don’t have to do anything when using a new device. Please refer to your authenticator app documentation for further details.
If your authenticator app doesn’t offer multi-device capabilities please disable 2FA on your user profile before deleting the account on the old device as a verification code is needed in order to disable 2FA in Signagelive, then re-enable it as usual using the new device; it is then safe to remove the previous account from the previous device. The exact step by step process would be:
- Disable 2FA on your user profile in Signagelive. A code from the old device is needed.
- Delete any recovery code previously saved (these were generated when 2FA was enabled)
- Delete the account on the old device
- Enable 2FA on your user profile in Signagelive.
- Scan the QR code on the new device
- Enter a code from the new device and save the new recovery codes
I’ve lost access to my authenticator app and recovery codes, how can I log in?
Please contact Signagelive Support for assistance.
Can I disable 2FA?
Yes, you can disable 2FA within your user profile. Please note you will need to log in using 2FA before disabling it. Also note this is not recommended as 2FA adds an extra layer of security to your Signagelive account and you may no longer be able to access some of your networks if they require 2FA.
Please NoteIf you disable 2FA on your account and are attempting to log into a Signagelive Network that Requires 2FA, then you will not be able to access this Network until you have re-enabled 2FA on your account.
How come old verification codes can be used?
Answer from the 2FA Nuget Package documentation:
Given that this two-factor authentication method is time-based, it is highly likely that there is some time difference between your servers and the user’s device. With these PIN codes changing every 30 seconds, you must decide what an acceptable ‘clock drift’ might be. Using the above code samples, the library will default to a clock drift tolerance of +/- 5 minutes from the current time. This means that if your user’s device is perfectly in sync with the server time, their PIN code will be ‘correct’ for a 10-minute window of time. However, if their device time is more than +/- 5 minutes off from your server’s time, the PIN code displayed on their device will never match up.