Two factor authentication settings
Two factor authentication (2FA) is available to improve security when a user accesses their account or certain organisation sites.
This article describes the settings and options for administrators when 2FA is active.
Activate a Collaborate account and log in
and Log in with two factor authentication describe how end-users experience 2FA.Overview of 2FA
2FA provides extra security beyond the requirement to enter a password. If 2FA is enabled, account access requires information from two separate 'factors', the first that is only known by the user (the password), and a second that changes each time and is sent to the user (a passcode). Normally, this passcode is only seen by the user when needed (e.g. in their work email account or an authenticator app) and is valid only for a short period.
2FA may be activated at the system (instance) or individual site level.
Instance-level 2FA settings
Select your profile icon,
System Admin
, then System settings
.Select
Two factor authentication
from the System settings
screen.
The
Two factor authentication
screen allows you to set which users receive which kind of authentication requests, including the ability to adjust settings for specific organisations:
Selecting users and organisations that require 2FA
Use the
All users
, System admins
, and Specific organisations
checkboxes to select which users must enter a 2FA passcode when they log in to Collaborate:- All users- Every user in an instance of Collaborate will be subject to 2FA (Email or App)
- System Admins- For additional security, all System Administrators should be subject to 2FA
note
This setting will apply to all System Administrators from all organisations. Different 2FA methods can be selected for administrators and users.
- Specific Organisations- If this option is selected, a field will be displayed below where a System Administrator can enter the names of organisations where the members will be subject to 2FA. For example, if the System Administrator enters the organisation name 'Abbot, Baker & Chadwick' (an example law firm that had licensed that instance of Collaborate) then every user from Abbot, Baker & Chadwick would be required to enter a passcode when logging in.
This setting is useful when certain users, but not all users, in an instance require 2FA, or require a different type of 2FA authentication.
You can add multiple organisations, each of which sets exceptions for members of each organisation. Members of different organisations would then follow the selected multi-factor authentication requirements.
note
If a user is not a member of an organisation, nor a system admin, then they are subject to the selection chosen for
All users
. Choose the authentication method
By default, the passcode is sent by
Email
to the user's registered email address. If Authenticator/HighQ apps
or Authenticator app
is selected then no email will be sent; instead, the user must use an authenticator app to generate the passcode.- Emailsends the passcode to the email address associated with the user's account
- Authenticator/HighQ appsallows the user to either download and use a third-party app (e.g. Google authenticator or PingID)ora HighQ app (HighQ Drive)
- Authenticator apponly allows the user to choose a third-party app (e.g. Google authenticator or PingID)
More information is available here.
note
If the setting is set to
Authenticator/HighQ apps
and this is later changed to Authenticator apps
then any user who has paired with a HighQ app has their 2FA status forcibly reset. They must perform the entire pairing process again with a third-party authenticator app. Time available to enter a passcode
Passcode expiry time
determines how long a user has to enter a passcode after it has been sent. Any number of minutes can be selected, but it is suggested that this time is not set lower than two minutes. This provides enough time to receive the email and enter the passcode. If the passcode has expired when the user tries to enter it, a replacement passcode is sent to the user.Allow a device to be trusted
By default, when 2FA is enabled, each time an affected user logs in or starts a new session, they will be asked to enter a 2FA passcode. However, users may be permitted to trust a device.
note
A 'device' is a combination of (1) the computing device a user is using, such as a Windows PC, Mac, iPad, smartphone, etc., and (2) the browser in use.
If a device, such as a work computer, has been trusted, the user will no longer need to enter a passcode when accessing Collaborate from that specific device and browser. Trusting a device ('
Passcode remember me
') is an optional configuration setting that can be enabled if needed. If enabled, there is a choice between allowing users to trust any device or allowing them to trust only desktop devices.
The next setting determines the duration a device can be trusted, in days. For example, if the duration is set for 30 days, then for 30 days after the device is trusted, a user will not need to enter a passcode when accessing Collaborate from that device. But after this, the user will again be asked to enter a passcode, at which time the user can also choose to trust the device for another 30 days.
Site-level 2FA settings
In addition to the instance-level 2FA options on the
System settings
page, 2FA can be required for specific sites in an instance, or a site can be restricted to require a limited selection of authentication apps. Go to
Admin
, then Security
. Select Site Settings
, then mark the Enable two factor authentication
checkbox.
When 2FA is enabled at the site level, any time a site user tries to access the site, they will be prompted to enter a passcode. Until a user signs in, the site contents will neither appear in search results nor in places where content may be selected from a list of sites, such as when embedding a link to site content.
Site settings are identical to instance-level settings; the site-level selection is independent of the instance-level setting:
- Using Emailsends the passcode to the email address associated with the user's account
- Using Authenticator/HighQ appsallows the user to either download and use a third-party app (e.g. Google authenticator or PingID)ora HighQ app (HighQ Drive or HighQ Stream)
- Using Authenticator apponly allows the user to choose a third-party app (e.g. Google authenticator or PingID)
More information is available here.
Email or app authentication
Email
If the
Email
option is selected, the passcode is sent to the email address associated with the user's account, usually a work email address. Under normal conditions, only the user has access to their email account.- When a user with 2FA access attempts to log in, a time-limited passcode will be emailed to the user. The user then must enter the passcode to access the site.
Authenticator app
If
Authenticator/HighQ apps
or Authenticator app
is selected, and the user is using a third-party authentication app, the authenticator app generates passcodes, typically on the user's phone (for example Google Authenticator, Microsoft Authenticator or Cisco Duo). The user must then enter the given passcode to access the site.If the user is using a HighQ authentication app, the authenticator app (for example
HighQ Drive
). The app automatically generates a notification that grants access to the site.- If the user is using a third-party authentication app, after logging in to the site with their username and passwordfor the first time, a QR code is displayed. This is used by the app to identify the site and generate valid codes.
note
For an example describing how to log in with Google Authenticator, refer to Log in with two factor authentication. The user should install the app (for example, from the Play Store or App Store) before logging in. The user MUST keep the Authenticator app on their device and use it each time they log in (unless they have chosen to trust a device). If they reinstall the authenticator app or change device, they must contact their System Admin to reset their account's 2FA settings. This is done by going to
User Administration
and selecting Reset 2FA
.When is a passcode required?
For system-level 2FA, a passcode will be sent when a user is subject to the 2FA requirement attempts to log in to a new session. This happens when a user attempts to manually log in
or
has selected the 'Remember me' option on the login page, which allows users to bypass the login requirement on that device.When a user who has selected 'Remember me' attempts to log in, they will not be asked to enter a password, but they WILL be asked to enter a passcode. If a 'Remember me' user's session has expired while they are on a Collaborate page and the user attempts to select an action, they will first be asked to enter a passcode.
If 2FA is applied at the site level, the same rules apply except the 2FA prompt will appear when attempting to access the site.
Exceptions for all users
The requirement to enter a passcode before accessing a site is subject to certain exceptions:
- A 2FA passcode only needs to be entered once in any session. This may occur if:
- the 2FA requirement is applied to the user's organisation and a 2FA passcode is entered during login,
- the user was required to enter a 2FA passcode when accessing another site, or
- the user had previously entered a 2FA passcode to access the same site.
- If the user has usedSingle Sign-On, then no passcode will be required when entering a site associated with that Single Sign-On.
Exceptions for administrators
The 2FA requirement does not apply when a System Administrator attempts to
proxy log in as another user
.Removing trusted status from a device
If a user has chosen to trust a device and later wants Collaborate to 'forget' that device, the user can manually log out from that device and it will be forgotten.
Incorrect passcodes and locking an account
If a user fails to enter the correct and unexpired passcode three times in a row, that account will be locked, just as if they had tried but failed to enter their password three times in a row. A user may
reset their password
.Use cases
2FA can be useful to ensure that former employees who previously had access to one or more sites, no longer have access. After an employee leaves a company, typically they no longer have access to their work email account. If 2FA is enabled, and the user's account is still active, and the user attempted to log in, the user would not be able to access the site because they would not have access to the passcode sent to their work email.