Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
en:services:general_services:customer_portal:two_factor_authentication [2015/10/20 07:39] – created shilkeren:services:general_services:customer_portal:two_factor_authentication [2023/03/17 21:46] – [Second component in Customer Portal] 0swong
Line 1: Line 1:
 +====== Two-Factor Authentication ======
  
 +The Customer Portal provides the ability to enable a secure two-factor authentication. Each protected area can be individually selected by the user.
 +
 +=====What is that?=====
 +
 +To proof the identity of a user, a combination of the user name or e-mail address and password is used in general. With the two-factor authentication (2FA) a second component is added. This component should be as independent as possible from the first one and increase the certainty that the current action is performed by the corresponding user.
 +
 +====Manage Second Factor for Authentication in the Account Portal====
 +
 +The administration of second factors is possible in the customer portal. You have the option of registering SMS tokens, TOTP tokens or PUSH tokens. With the SMS Token, you receive a code to your verified telephone number. You enter this code manually in addition to your account password. With the TOTP token, you connect an authenticator app on your smartphone to your account by entering a CR code. This app generates a time-based code that you enter each time you log in, in addition to your password. With the PUSH token, you connect the privacyIDEA Authenticator app on your smartphone to your account using a QR code. Each time you log in to your account, you can conveniently confirm your identity by pressing a button in the app.
 +====Data Protection====
 +
 +To generate the code two components are required. In addition to the QR Code transferred token, the current system time (in the case of the phone) is needed. A data connection to an external service is not necessary - the generation can thus also be carried out with activated "airplane mode".
 +
 +The transmission of the user name associated with the domain "gwdg.de" (included in QR Code) is made exclusively to differentiate the various items in the app.
 +=====Prerequisites=====
 +
 +To use this feature, a mobile phone with a modern operating system and access to the corresponding App Store (or Play Store) is required, e.g.:
 +
 +  * Apple iOS
 +  * Google Android
 +  * Windows Phone
 +
 +Various developers offers apps to generate a token, the most common apps are from Google and Microsoft:
 +
 +  * Google Authenticator ([[https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en|Play Store]])
 +  * Google Authenticator ([[https://itunes.apple.com/de/app/google-authenticator/id388497605?mt=8|App Store]])
 +  * Microsoft Authenticator ([[https://www.microsoft.com/en-us/store/apps/authenticator/9wzdncrfj3rj#|Microsoft Store]])
 +=====Installation=====
 +
 +Once an Authenticator app is installed on the personal mobile phone, the two-factor authentication can be enabled in the security section of Customer Portal (https://www.gwdg.de/my-account/sicherheit).
 +
 +====#1 Activation====
 +
 +{{ :en:services:general_services:customer_portal:2fa-activation.png?nolink |}}
 +
 +Select //Activate two-factor authentication// to enable.
 +
 +After the required token has been generated, it is displayed as QR code and text.
 +
 +{{ :en:services:general_services:customer_portal:2fa-qrcodeen.png?nolink |}}
 +
 +**Important**: Print the displayed recovery code and store it in a safe place. You can deactivate the two-factor authentication using this code if you have no longer access to the attached mobile phone.
 +
 +Select //Save//. Before finally activating the authentication, the code is requested for the first time.
 +====#2 Installation====
 +
 +The installed Authenticator app usually supports the automatic detection of a QR code, a manual input of the token is not necessary.
 +
 +{{ :en:services:general_services:customer_portal:2fa-codescanen.jpg?nolink&200 |}}
 +
 +After setting the QR code, the current token is automatically displayed.
 +
 +{{ :en:services:general_services:customer_portal:2fa-token.jpg?nolink&200 |}}
 +
 +The code is generated from a combination of the token with the current time and is valid for 30 seconds.
 +
 +====#3 Usage====
 +
 +Once activated, the Customer Portal is querying the code for each password change. A dialog box is displayed to enter the code.
 +
 +{{ :en:services:general_services:customer_portal:2fa-query.png?nolink |}}
 +
 +====#4 Deactivation====
 +
 +The two-factor authentication can be disabled at any time. For this purpose, the input of a code is also necessary. If a generation of the code is not possible, the recovery code, displayed during activation, can be used.
 +
 +{{ :en:services:general_services:customer_portal:2fa-deacten.png?nolink |}}