Two factor authentication (2FA)
For further improving the security of Stages we enforce the usage of two factor authentication by default for local user accounts that are usually used for administrative users like the Superuser.
For SAML accounts the authentication methods are managed by your Identity Provider and not by Stages.
For LDAP accounts the authentication is delegated to LDAP and therefore Stages cannot enforce multi factor authentication.
Prerequisites
- The user was created in Stages as a local user.
- The user has a email address assigned by the administrator. (see Administration → Users)
- A mail server is configured in the
config.xml
notification section.
Usage
Two factor authentication is activated for a user that matches the prerequisites on the users first login to Stages 7.11.
After providing username and password on the login page a security code is sent to the users email address. The login will only succeed when the user additionally provides this security code.
As an alternative to receiving security codes by email it is possible to switch the security code generation to be app based. For this it is necessary to install an authentication app like Microsoft Authenticator or Google Authenticator on another device. In the User Settings in section authentication you will find a button to switch from email to an authenticator app. This will provide you a QRCode to be scanned by the authenticator app.
User Password changes
A user can change his/her password without impact on the second factor.
Password change/reset by an administrator
When an administrator changes/resets an users password via Administration > Users the second factor will be reset as well and the security code generation method will be reset to email as the app registration will no longer be usable.
Disable two factor authentication onboarding (not recommended)
In case it is not desired to onboard local users to two factor authentication for improved security, this can be disabled by the following configuration property to be specified in $STAGES_CONF/config.xml
.
- config.xml
<property name="login.basic.mfa.enforced" value="false"/>