Who is this article for?
Incydr Professional and Enterprise, no.
Incydr Basic and Advanced, no.
CrashPlan Cloud, no.
Other product plans, yes.
CrashPlan for Small Business, no.
This article applies to on-premises authority servers.
Other available versions:
Two-factor authentication for local users increases the security of your Code42 environment by requiring users who authenticate directly with Code42 to provide additional verification before accessing the Code42 console and Code42 API.
For organizations integrated with an external authentication provider, this typically only applies to a very limited number of administrator accounts reserved for troubleshooting your authentication provider. However, if your organization only uses Local authentication, it applies to all users.
Before you begin
- Review any Code42 API integrations using credentials of users in organizations in which you plan to enable local two-factor authentication. After enabling local two-factor authentication for an organization, basic authentication (username and password) is not supported. Users in that organization must use token authentication and supply the Time-based One-Time Password (TOTP) to authenticate with the Code42 API.
- Review the organizational hierarchy of your Code42 environment. By default, child organizations inherit the local two-factor authentication setting from their parent organization. To prevent this setting from affecting unintended users, you can either move the users you want to use local two-factor authentication to an organization with no child organizations, or manually disable the setting in each child organization.
- Local two-factor authentication requires Code42 server version 8.2 or later.
- Local two-factor authentication uses the Time-based One-Time Password (TOTP) algorithm and a 160-bit secret key for each user. The Google Authenticator mobile app is the tool we officially support and recommend, but other tools or apps that support the TOTP algorithm may also be compatible.
- To configure this setting for an organization, you must sign in to the Code42 console as a user with the SYSADMIN or Multi-Factor Auth Admin role.
Affected users and components
Unaffected users and components
- The Code42 app installed on user devices
- Any existing multi-factor authentication mechanisms managed by your external authentication provider
Enable or disable two-factor authentication
- Sign in to the Code42 console.
- Navigate to the organization settings:
- To update all organizations, select Administration > Settings > Organization.
- To update a single organization:
- Select Administration > Organizations > Active.
- Select an organization.
- From the action menu in the upper-right, select Edit.
- Select the Security tab and go to the Local Two-Factor Authentication section.
- If necessary, deselect Inherit setting from parent.
- Select Enabled or Disabled.
- Enabled: Requires affected users to configure two-factor authentication (Google Authenticator is our recommended application). Users must then provide a one-time authentication code in addition to their Code42 username and password to access the Code42 console and Code42 API.
- Disabled: Locally authenticated users are only required to provide their Code42 username and password to access the Code42 console and Code42 API.
- (Optional) Click the lock icon to:
- Apply the setting to all child organizations
- Prevent child organizations from changing this setting
- Click Save.
If you want to use a different setting in a child organization, you must follow the steps above for all child organizations to ensure they use your preferred setting. If you plan to use the same setting in all child organizations, click the lock icon in the parent organization.
User sign in
After enabling Local Two-Factor Authentication for an organization, affected users are required to follow the steps below to set up their account the next time they sign in. (Future sign-ins only prompt users to obtain the verification code from the Google Authenticator mobile app.)
- Upon signing in to the Code42 console, the Set Up Two-Factor Authentication message appears.
- Using the Google Authenticator mobile app, scan the QR code provided (see sample below).
- (Optional) If you plan to script automated API requests with this account and/or integrate with other TOTP applications, click View code for manual entry or API setup to display the shared secret. This is the only time the secret is displayed, so copy it from this message and save it.
- In the Set Up Two-Factor Authentication message, enter the verification code displayed in the Google Authenticator mobile app.
- Click Sign In.
Reset a single user's device
If a user loses or gets a new mobile device, follow the steps below to reset the two-factor authentication configuration.
- Sign in to the Code42 console.
- Select Users > Active.
- Select a user.
- From the action menu in the upper-right, select Reset Two-Factor Authentication.
This invalidates the secret used to generate this user's TOTP and prompts the user redo the initial configuration steps upon the next sign-in attempt.