2-Factor Authentication Guide (2FA) - help and support for organisations
This guide contains information about 2-Factor Authentication and how to set this up and use it in Citizen Space. You can read the whole thing, or jump to the relevant section(s) for your needs:
- What is 2-Factor Authentication (2FA)?
- Why 2FA is useful
- Authentication tools and the pre-planning needed before you turn 2FA on site-wide
- Turning on 2FA site-wide
- How to enable 2FA when you log in
- Troubleshooting
- Other (hopefully) useful things
What is 2-Factor Authentication?
2-Factor Authentication (2FA) — also sometimes called 2-Step Verification (2SV) or Multi-Factor Authentication (MFA) — requires a second verification method when logging in to a site or application. This step generally appears after a user has entered their username/email and password, and requires authentication from a separate source to verify their log-in details. Often this takes the form of a one-time passcode which needs to be entered to complete the log-in process.
The log-in passcode or second verification step is provided by an authenticator tool which is linked to the user's account for that particular site or application. Once an account is linked to an authenticator, then some of these tools will recognise the site and the specific log-in details each time the user visits, and will auto-generate the passcode and enter it into the 2FA field for them, providing a seamless log-in process. Other authentication tools may have a more manual process where the user types in the passcode the authenticator gives them.
It's often the case that a separate physical device is needed for authentication. The device linked with the user account is prompted to provide a passcode or verification for access. This is something you may be used to if you have linked your mobile phone for 2FA on any of your accounts and you receive a code via text message or via an alternative email address to enter so that you can log in.
Why it's a useful security measure
2FA provides an extra layer of security to logging in and helps to prevent unauthorised access to sites and applications because it requires knowledge of both the log-in credentials as well as verification from a linked authenticator app or device to get into the site. This makes it much harder for breaches to occur than if account access requires log-in credentials alone.
2-Factor Authentication in Citizen Space uses the industry standard of time-based, one-time passcodes (also known as TOTP or OTP). If it's enabled on your site and on a user's profile, it will require the user to enter their email address and password, followed by a new passcode from their authenticator app or device each time they log in.
This article from the UK's National Cyber Security Centre gives a good overview of enabling 2FA for online accounts, what it is, and why it's useful.
Authentication tools and the pre-planning needed to enable 2FA
If you decide to go ahead with using 2FA in Citizen Space, then this needs support from within your organisation first, because in order to authenticate the log-in process, you and your users will need to have been given access to an authentication tool and the support for how to use it. It's very likely you'll already have an authentication tool that your organisation has approved to use for accounts with 2FA on other sites and applications, so your IT team should be able to help you and your Citizen Space users to access one if you haven't used one before.
Common authentication tools and applications are:
- Microsoft Authenticator
- Password manager applications, like 1Password
- Authy
- Duo
- LastPass Authenticator
- Google Authenticator
- ...there are many more
Before you start
If you:
- cannot get access to an authenticator, or
- have not had one approved for use across your organisation yet, or
- you have one but are unsure of how to use it
then this should be arranged first before you get 2FA switched on for Citizen Space – or any other site on which you want to enable 2FA for work purposes!
Managing and supporting the use of an authentication tool
Authenticator tools are separate applications or devices which are controlled by your organisation, so we at Delib have no access to the particular one you'll be using or knowledge of how your organisation governs its use — and each particular authenticator tool or device works in a different way. This means that support for your Citizen Space users in accessing and using the authenticator of choice for your organisation will need to come from you or your IT team. You'll need to show your users how to link their Citizen Space log-in with your particular authenticator, and then how to log in with it so that it can generate the passcode required each time.
What we've tried to do in this guidance is show the process for enabling 2FA on a user account in Citizen Space using an authenticator so that you get the idea of how authentication tools tend to interact and which bits are the Citizen Space bits, and which are the authentication tool bits. This should give you the best chance of supporting your colleagues when or if they enable 2FA for their user profile.
We can show you how 2FA works in Citizen Space, how to turn it on as a user, and how, as a site admin, you can help users who have lost their authenticator but who still need to get in. Unfortunately, we can't troubleshoot issues with authentication tools themselves or describe how each type of authentication tool works.
Turning on 2FA for your Citizen Space site
When you have sorted your authentication tool and are ready to make the change to have 2FA switched on, please contact your customer success manager and we can do that for you. Once it's enabled site-wide, then it'll then appear as either:
- an option for each of your users to turn on via their user profile when they next log in or
- you can make 2FA required for all users, which means they will have to enable it at their next log in.
How to enable 2FA when you log in
Step-by-step guidance for users required to use 2FA
Once 2FA is enabled site-wide and set as required for all users, the next time you log in you'll be prompted to set-up 2FA prior to being able to access the admin side of your Citizen Space site.
To set up 2FA:
- Log in to your Citizen Space site.
The next screen will prompt you to set up with your 2FA, providing a QR code to scan with your authenticator app. Your authenticator tool should offer you an option to do this and the explanation of how QR code scanning works on that particular tool.
Once scanned, it should provide you with a passcode/token - enter this into the 'Token' field and then select to 'Activate two-factor authentication'.
It's worth noting here that some authentication tools may require you to add your Citizen Space log-in details to them first before the QR code scanning option is available, others will automatically link to your account from the QR code. Follow the guidance from your IT team or on the tool itself for how yours works.
As long as you've entered a valid token, you'll be taken to your profile confirming you are logged in.
Step-by-step guidance for users with the option to use 2FA
Once 2FA is enabled site-wide, you'll log in next time exactly as you would normally because 2FA hasn't been activated on your user profile yet.
To activate it once you're in:
- If you aren't taken there directly, head to your user profile by selecting your name in the top right of the screen and then 'My profile'.
Select 'Activate 2FA' from the top right of your profile.
- From there, you'll be shown the step to link your account with your authenticator tool. Get your authenticator application/device open, and scan the QR code. Your authenticator tool should offer you an option to do this and the explanation of how QR code scanning works on that particular tool.
Once scanned, it should provide you with a passcode/token - enter this into the 'Token' field and then select to 'Activate two-factor authentication'.
It's worth noting here that some authentication tools may require you to add your Citizen Space log-in details to them first before the QR code scanning option is available, others will automatically link to your account from the QR code. Follow the guidance from your IT team or on the tool itself for how yours works.
- As long as you've entered a valid token, you'll be taken back to your profile confirming 2FA is enabled.
Video guidance
This video walks through the steps to enable 2FA. In it we use Microsoft Authenticator, which is an authentication app for smartphones and tablets. You may be using another authenticator in your organisation and guidance for using that should be accessible in the tool itself or via your IT team or other colleagues, but the concept will be very similar.
Logging in with 2FA enabled
Next time you log in you'll enter your email and password as usual, and as long as those are correct, then you'll get the next screen which asks you to enter a one-time passcode from your authentication tool.
If the tool you are using is linked to your browser and log-in details for Citizen Space then it may populate this field for you. For other tools, you will need to open your authenticator app or device, find the entry for your Citizen Space account, and type the code it gives you into the field on Citizen Space.
This code will change every minute or so, so you'll need to put in the most recent one on screen. Don't write the passcodes down anywhere because they are irrelevant once they have expired. Part of the security of time-based, one-time passcodes is that they change regularly, so you always need to have the linked authentication tool or device to be able to get the current code which will unlock your account.
Once your code is in, select 'Log in' and you should be good to go
Troubleshooting
Lost or not working authentication app or device
If an authenticator app or device is lost or not working then you'll need to contact your IT team or whoever provided the authenticator to you for help in getting a new one or fixing the issue with it.
If you are a Site Admin, your Citizen Space users who have enabled 2FA may come to you if they have lost their authenticator or it isn't working, as this will mean they can't get into their account. If you can fix the issue with the authenticator and help them get access, then great. If you can't help or the device has been lost, then, as long as you are logged in to Citizen Space yourself, you can go into their user profile and disable 2FA for their account. This will enable them to log in to Citizen Space without 2FA on. They can reset 2FA by following the steps above when they can get access to a working authenticator app or device again. As Site Admin, you can disable 2FA on any user's account, but you won't be able to reactivate 2FA from their account for them. They will have to do this part themselves.
If you, as Site Admin, are the one who has lost your authenticator or it isn't working and you can't get into your account, then if you have other colleagues who are Site Admins, they can log in and disable 2FA on your user profile in Citizen Space. This will mean you can log in without the authenticator and re-enable 2FA once you can get access to a working authenticator app or device again. If none of your colleagues can help, or you are the only Site Admin, then as a last resort you can contact us and we can disable 2FA on your profile so that you can log in and set it back up when you are able. As before, only the owner of the account can re-enable 2FA for themselves, so we or others would not be able to reactivate 2FA for you. This has to be done by you as the account owner.
Re-enabling 2FA once it has been disabled on an account
If 2FA has been disabled on an account, when it's re-enabled it will need to be set up again by following the steps outlined earlier in this article and rescanning the QR code provided on screen. The authenticator needs to be linked with the account again so that it can provide you with a new token. It won't work if an existing passcode is put into the Token field without relinking the account details with the authenticator and rescanning the QR code. These steps have to be done by the account holder.
Other (hopefully) useful things
An extra column in the Users export
When 2FA is enabled on your site, it'll add an extra column to your Users export. This will show whether users have enabled 2FA on their accounts and can be helpful for doing user audits or if you want to encourage more users to enable this extra security step.
Deactivation email
If you've enabled 2FA and for some reason it then gets disabled on your account, you'll get an email letting you know this has happened. This is a further security measure so if it's been deactivated without your knowledge you can take steps to secure your account.
Log-in back-off
This is another security feature in Citizen Space which sets limits on how many attempts can be made to log in and, once that limit has been reached, prevents further attempts until a defined amount of time has passed. If this security feature is not already something enabled on your site, it will be automatically enabled when we turn on 2FA and adds another layer of security for your data. Please refer to this article which has more info on Citizen Space's security settings. If Log-in back-off is triggered on your user account, you'll get an email letting you know.