Two-Factor Authentication
Discover how Pleasant Password Server will enhance KeePass for business
(Versions 7+)
Pleasant Password Server supports a variety of Two-Factor Authentication methods.
Two-Factor Authentication is an extra layer of security in addition to the standard login of username/password. Other similar topics which are included here are: Multi-Factor Authentication (MFA) or Two Step Verification (2SV).
Client apps can also generate TOTP Codes and store them for your user teams, to securely access accounts in a shared environment.
In general, these factors are available for all software clients.
-
Have Questions? Contact Us!
Supported Providers
Here is a list of Supported Providers with links to any Configuration guides. Each type of Two Factor Provider has special configuration requirements:
3rd-Party Integration
Other Factors of Authentication are possible when integrating with SAML Single Sign-On, for example:
- Azure MFA (with SAML SSO)
- Office 365 (with SAML SSO)
- Okta (with SAML SSO)
Authenticator Apps
These mobile apps provide one-time 6-digit verification codes and can be used to further secure your server account, for example, Google 2-Step Verification. Each of the below apps can be configured by selecting the "Authenticator App" row of the 2FA table within a policy. For more information on configuring any of the below follow this link:
- Google Authenticator - User Enrollment
- Microsoft Authenticator
- Authy 2-Factor Authentication
- DUO Mobile
- FreeOTP Authenticator
- Okta Verify
- SecureAuth
- Symantec VIP
- Yubikey Authenticator (not the hardware keys)
- 2FA Authenticator (2FAS)
- andOTP (for android)
- Aegis Authenticator
- RCDevs OpenOtp
Notes: All of these, and any alternative app, uses an industry standard algorithm Time-based One-Time Password algorithm (TOTP).
Biometrics
- Fingerprint Scanning (android) / Touch ID (iOS)
- Facial Recognition (android) / Face ID (iOS)
Client Certificates
Email Authentication
- Method 1: Email 6-digit codes that can be used to authenticate
- Method 2: Require user authentication through email first before using password reset.
Network Resource
- RADIUS
- RADIUS via DUO
- RADIUS via Okta
- RSA SecurID
- YubiKey Embedded Server
Notes: All of these use the RADIUS Provider workflow, with PAP, CHAP, or MS-CHAPv2 protocols.
Physical Devices
Notes: These use the Yubico OTP protocol.
Enabling Two-Factor Authentication
Two-Factor Authentication (2FA) can be enabled for your users by:
- Opening an existing Policy (only displayed after the Policy is created),
- Configuring a 2FA Provider, and
- Enrolling the Users, or allowing User Self-Enrollment
Bulk User Enrollment
Administrators can setup all users with self-enrollment into Two-Factor Authentication:
- Settings on the 2FA Provider:
- User can Generate Code - users can generate their own secret
- Users can Self-Enroll - users can enroll on their own; if 2FA is Required, users will be prompted after first login
- Note: user 2FA status displays "disabled", but does allow user setup.
Enroll a Single User
Administrators can enroll a single user with Two-Factor Authentication:
- Set from the User's Details page
Reset Two-Factor Secret
Administrators can reset a user's secret from the User's Details -> Configure screen, by clicking either:
- A) Reset and provide user with the new secret, or
- B) Disable the previous 2FA configuration allowing user to re-enroll next login
- Depends on 2FA Provider options: User Can Generate Code, and User Can Self-Enroll
Storing 2FA Backup Codes
Password Server generates a unique secret for each individual: a 2FA code which the user synchronizes with their mobile device.
This 2FA code can be saved / copied / stored in another secure location, so that if a mobile device is lost the 2FA secret is still available to the user.
It is usually not recommended to store the 2FA secret (used to authenticate into Password Server) into the same server, because it then turns the two-factor into a single factor!
However, some may require 2FA for integration with other applications.
-
There are KeePass plugins which store and display 2FA codes, such as: Tray OTP or KeeOTP.
Some Authenticator apps, such as Authy, have a Backup 2FA feature which can automatically synchronize the secret to a backup. Depending on your security needs, this can provide convenience and remove a worry of losing the secret, however the secret is synchronized to a cloud location.
Two-Factor Policy Configuration
2FA configuration details are found on the Policy, in the Two-Factor Policy section.
Status
- Required: By setting the Two Factor as Required, Two-Factor Authentication will be mandatory for all policy users. If the user has no Providers configured then they will not be able to log in.
- It is recommended that Required is only used for policies where two factor configuration is entirely managed by the administrators.
-
Alternatively it may be turned on after users have been given sufficient notice and opportunity to configure and enable their two-factor authentication.
- Enabled: Configuring at least one Two Factor Provider will allow users with the policy to use two-factor authentication during sign in.
- If multiple providers are enabled then users may have an option regarding which two factor provider to use (depending on the user's configuration).
-
Each user must have at least one two factor provider configured and enabled for the two-factor authentication step to appear for them.
- Disabled: When none of the Two Factor configurations are enabled, the 2FA step is removed from the sign in process. Even if users previously had Two Factor configured and enabled for themselves.
Browser Remember Flag
- Enabling this will allow users to set a flag that bypasses the Two Factor requirement for their current browser.
- Users will see a Remember this browser? check box, on first use of Two-Factor Authentication.
- Setting this value will disable the 2FA requirement, for this user using this same browser
-
2FA authentication (if enabled) will still be required if they sign in from a new browser
-
Disabling this prevents this option from being available to users, forcing 2FA on every sign in.
Users should only check this option when signing in from secure browsers.
Two-Factor Providers
Note: The list of Two Factor Providers are displayed once the policy is created.
The following options are common to all two factor provider configurations.
Enabled
Each available Two-Factor Authentication provider can be enabled or disabled on a per-policy basis. Some Two Factor Providers are easy for the user to configure and enable, making them good choices to enable for optional protection. Other Two Factor Providers must be configured and managed by an administrator. See the descriptions of each Provider to help you select which ones are right for your security needs.
User Can Disable Provider
In a policy where 2FA is optional, this option should be enabled. This will allow the user to enable or disable their preferred Two Factor Provider(s) on their account management page. For policies requiring mandatory (and often administration configured) 2FA, unchecking this option will prevent the user from disabling the Two Factor Provider.
Google Authenticator
Generates a new security code every 30 seconds. Uses the Google Authenticator app available for Apple and Android.
-
Once enabled in the policy, Google Authenticator can be enabled by the user and will display the QR code used to configure the Google Authenticator app.
See also: Setting Up Google Authenticator & User Enrollment
Service Name:
-
This name appears in the Google Authenticator app when setting it up using the QR code provided on the user configuration page.
User Can Generate Code:
-
Checking this option allows the user to reset the secret value if they choose. Unchecking this option will prevent the user from changing the secret themselves.
User Can Disable Provider:
-
If this box is checked the user will be able to enable or disable two-factor authentication on their account. If you wish to force users to use two-factor authentication, leave this box unchecked.
User Can Self-Enroll in this Provider:
- If this box is checked and two-factor authentication is required, users will be able to set up Google Authenticator on first sign in, if they have not already done so.
YubiKey
The standard YubiKey Two Factor Provider connects to a remote server, either the YubiCloud authentication service or another YubiKey Verification Server. By default, all YubiKeys are shipped ready to verify against the YubiCloud service.
User Can Configure Provider:
- Checking this option allows the user to configure the two factor provider with any valid YubiKey. A YubiKey One-Time Password (OTP) will need to be entered and verified by the configured verification server(s).
-
This option is useful in situations where YubiKey is enabled as an optional two-factor authentication provider or when the administrator does not want to configure each user individually after providing YubiKeys.
User Can Disable Provider:
- If this box is checked the user will be able to enable or disable two-factor authentication on their account. If you wish to force users to use two-factor authentication, leave this box unchecked.
Client ID & API Key:
-
This is for communication with the YubiKey Cloud authentication service. You may obtain a Client ID and API key via their website (https://upgrade.yubico.com/getapikey/)
Server URLs
- When hosting your own YubiKey verification servers, you must enter the URL(s) to use for verification. If no URLs are specified the verification will be done against the YubiKey Cloud service.
YubiKey Embedded Server
This specialized YubiKey Two-Factor Authentication Provider allows connecting to a local database, without having to connect with an external verification service.
This Two Factor Provider requires significantly more administration and cannot be configured by users directly.
To use this provider you must customize the YubiKey(s) using the YubiKey personalization software (https://www.yubico.com/products/services-software/personalization-tools/) with custom secret values. These values must then be entered into each user's configuration by an administrator.