This article explains the functionality of a Two-factor authentication policy. Two-factor Authentication (2FA) is an additional layer of security, which requires Account Contacts to respond to a second authentication challenge when logging into CONTROL PANEL.
Enabling 2FA affects all account contacts.
A set of 2FA settings that account contacts can modify depends on the role they are granted.
- Account Owner: manages common and individual 2FA policies (enable/disable, reset, change the phone number, change 2FA method)
- Security Manager/Contact Manager: manages common and individual 2FA policies (enable/disable, reset, change the phone number, change 2FA method)
- Billing Manager/Technical Administrator: manages only their own 2FA settings (update the phone number, change 2FA method)
Read the Knowledge Base article on Account Contacts And Contact Roles for more information.
To enable 2FA policy for administrators, log into CONTROL PANEL and navigate to Account > Security Policies > Two-Factor Authentication (2FA).
Check the Activate 2FA for administrators box and click Save changes.
Frequency section allows you to set how often administrators with 2FA enabled will be challenged for extra authentication. The possible options are: on every login, daily, weekly, monthly, when logging from a new device.
To manage 2FA settings per Account Contact, navigate to Account > Account Contacts, click the contact's display name and select Login options tab.
Under Two-factor authentication method section choose DoubleSafe app Push notification, SMS text message, Voice call, DoubleSafe app One-time passcode or Google Authenticator.
Add a phone number and click Save changes.
If the account contact has lost or changed their phone they will be asked to reset two-factor authentication (2FA).
Note: Account contacts themselves can select any method to use on their first login. They can also specify a phone number to use for authentication.
Enabling 2FA on the account will affect account contacts, who already manage several accounts.
There are several scenarios of how the 2FA affects the shared account contacts:
- Adding account contact with already enabled 2FA on another account on the account without 2FA will result in account contact with 2FA enabled.
- Adding account contact without 2FA enabled on the account with 2FA will result in account contact with 2FA enabled
When shared account contact attempts to log into the CONTROL PANEL the compilation of the strongest password policies and 2FA policies of all accounts where this account contact is listed will be applied for authentication.
If the 2FA will be disabled on the account with shared account contact, the 2FA authentication will still be applied if 2FA is enabled on separate account of this shared account contact.