Multi-Factor Authentication
Last updated
Was this helpful?
Connectware 1.11.0
Last updated
Was this helpful?
Multi-factor authentication (MFA), also known as 2-factor authentication, allows you to add an extra layer of security to your Connectware account. With MFA, you need a one-time code generated by an authentication app in addition to your main Connectware password to sign in.
If you do not have access to your authentication device, you can use backup codes to sign in or ask a Connectware admin to disable your MFA. Connectware admins can disable MFA for each user individually.
Offline access: Multi-factor authentication can be used even without an internet connection.
Microsoft Entra ID limitation: Multi-factor authentication is not available when using for authentication.
To configure multi-factor authentication, administrators need to modify the Connectware configuration file:
Kubernetes: Modify the values.yaml file.
Docker: Modify the .env file.
MFA enabled: Your organization has enabled multi-factor authentication for your Connectware account.
Usage: Multi-factor authentication can be optional or mandatory depending on your organization's settings.
Authentication apps: You have installed a time-based one-time password (TOTP) authentication app such as:
Google Authenticator
Microsoft Authenticator
Authy
FreeOTP
Configure the following environment variables to enable multi-factor authentication.
global.authentication.mfa.enabled
If set to true, multi-factor authentication is enabled. If set to false, multi-factor authentication is disabled.
Required
global.authentication.mfa.encryptionSecret
Primary encryption key that secures MFA.
Required*
global.authentication.mfa.encryptionSalt
Random value added to strengthen the encryption process.
Required*
global.authentication.mfa.existingSecret
The name of your existing Kubernetes secret that contains the encryptionSecret and encryptionSalt values.
Required*
The multi-factor authentication system uses two critical security components:
Secret: An encryption key for securing MFA tokens.
Salt: A random value that enhances encryption strength.
Changing the encryption secret or salt will invalidate all existing MFA configurations, requiring users to reconfigure their MFA settings. Keep these values secure. If compromised, an attacker could potentially bypass authentication.
To use multi-factor authentication with a new Connectware installation or with your existing Connectware setup, you must update your Connectware configuration file. The update procedure depends on your current installation method.
Kubernetes: Modify the values.yaml file.
Docker: Modify the .env file.
There are two ways to configure multi-factor authentication encryption settings in your Kubernetes deployment. You must choose one of these methods:
Create a Kubernetes secret. The values in Kubernetes secrets must be base64-encoded strings.
Open the values.yaml file.
Now you must configure the helm file to enable multi-factor authentication.
Configure the following helm values to enable and configure multi-factor authentication.
Optional: Specify the allowed number of invalid one-time password attempts and the lockout period after too many failed one-time password attempts.
After configuring your values.yaml file, deploy or update Connectware by running the following Helm command:
Storing encryption secrets and salt values in clear text within your values.yaml file is not recommended for production environments. Instead, use Kubernetes secrets to manage these sensitive values securely. The clear text configuration shown below should only be used for development or testing purposes.
Open the values.yaml file.
Now you must configure the helm file to enable multi-factor authentication.
Configure the following helm values to enable and configure multi-factor authentication.
Optional: Specify the allowed number of invalid one-time password attempts and the lockout period after too many failed one-time password attempts.
After configuring your values.yaml file, deploy or update Connectware by running the following Helm command:
On the navigation panel, click Settings.
Click Enable Multi-Factor Authentication.
Open your authentication app and do one of the following:
Scan the QR code.
Enter your secret key.
The authentication app generates a one-time 6-digit code.
Enter the one-time 6-digit code in the Register Device fields and click Enable Multi-Factor Authentication. Connectware displays a list of backup codes. If you do not have access to your authentication device, you can use a backup code instead of a one-time 6-digit code. You can use each backup code only once. Alternatively, you can ask a Connectware admin to disable your MFA.
Copy and paste the backup codes to a safe location.
On the Connectware login screen, enter your Username and Password.
Click Sign In.
Open the authentication app and select your Connectware account.
Enter the one-time 6-digit code displayed on the authentication app.
If you have no access to your multi-factor authentication app, you can use backup codes instead of a one-time 6-digit code to sign in to Connectware. Backup codes are displayed when you set up multi-factor authentication.
This gives you access to Connectware in case you have misplaced your authentication device, uninstalled your authentication app or removed Connectware from your authentication app.
You can use each backup code only once.
On the Connectware login screen, enter your Username and Password.
Click Sign In.
Click Use backup code.
In the Backup Code field, enter your backup code and click Sign In.
You must have access to your authentication app to disable multi-factor authentication.
If you do not have access to your authentication app, ask a Connectware admin to disable your multi-factor authentication.
On the navigation panel, click Settings.
In the Multi-Factor Authentication section, click Disable Multi-Factor Authentication.
Open the authentication app and select your Connectware account.
Enter the one-time 6-digit code displayed on the authentication app.
Click Disable Multi-Factor Authentication.
As a Connectware admin, you can disable multi-factor authentication for each user individually.
On the navigation panel, select User Management > Users and Roles.
Click the user for which you want to disable the multi-factor authentication.
In the MFA row, click Disable.
Click Update.
You must have access to your authentication app to regenerate multi-factor authentication backup codes.
On the navigation panel, click Settings.
In the Multi-Factor Authentication section, click Regenerate Backup Codes.
Open the authentication app and select your Connectware account.
Enter the one-time 6-digit code displayed on the authentication app in the text field.
Click Regenerate Backup Codes.
As a Connectware admin, you can set multi-factor authentication to be the mandatory login method for individual users.
On the navigation panel, select User Management > Users and Roles.
Click the user for which you want to make multi-factor authentication mandatory.
In the MFA (Required) row, click Enable.
Click Update.
* You must provide either encryptionSecret and encryptionSalt or provide the existingSecret. For enhanced security, use existingSecret. For more information, see .
Kubernetes secrets (recommended): Use to store your encryption values.
Clear text values: Write the encryption values directly in your values.yaml file .
For a list of all environment variables for Docker Compose, see .
For LDAP users, you can set CYBUS_LDAP_AUTO_ENFORCE_MFA to true to make multi-factor authentication the mandatory login method for all new LDAP users. For more information, see .