This article explains the functionality of a Two-factor authentication policy. Two-factor Authentication (2FA) is an additional layer of security, which requires Account Contacts to respond to a second authentication challenge when logging into Control Panel.

Enabling 2FA affects all account contacts.

Important: once 2FA for account contacts is enabled, there is no way to disable it.

A set of 2FA settings that account contacts can modify depends on the role they are granted.

  • Account Owner: manages common and individual 2FA policies (enable/disable, reset, change the phone number, change 2FA method)
  • Security Manager/Contact Manager: manages common and individual 2FA policies (enable/disable, reset, change the phone number, change 2FA method)
  • Billing Manager/Technical Administrator: manages only their own 2FA settings (update the phone number, change 2FA method)

Read the Knowledge Base article on Account Contacts And Contact Roles for more information.

Enabling 2FA

To enable 2FA policy for administrators, log into Control Panel and navigate to Account > Security Policies > Two-Factor Authentication (2FA).

Check the Activate 2FA for administrators box and click Save changes.


Frequency section allows you to set how often users and administrators with 2FA enabled will be challenged for extra authentication. The possible options are: on every login, daily, weekly, monthly, when logging from a new device.

Note: on mobile devices, 2FA is challenged on every authentication (i.e. Email Account setup).

 

 


To manage 2FA settings per Account Contact, navigate to Account > Account Contacts, click the contact's display name, and select Login options tab.

Under Two-factor authentication method section choose UNIVERGE BLUE® PROTECT app Push notification, SMS text message, Voice call or UNIVERGE BLUE® PROTECT app One-time passcode. 

Add a cell phone number and click Save changes.

 

 

Note: Account contacts themselves can select any method to use on their first login. They can also specify a cell phone number to use for authentication.

Read the Knowledge Base article on How To Use Two-Factor Authentication To Access My Control Panel for more information.

If the account contact has lost or changed their phone, 2FA will need to be reset for them. To reset 2FA, one of the other account contacts with a Contact manager or Owner role will need to log into the Control Panel and navigate to Account > Account contacts > click on the Display name of the account contact whose 2FA needs to be reset > Login options > Reset 2FA.

Shared account contacts

Important:  It is not allowed for shared account contacts to reset admin 2FA for other shared account contacts. If a shared account contact needs to reset their admin 2FA, they must do it themselves.

Enabling 2FA on the account will affect account contacts, who already manage several accounts.

There are several scenarios of how the 2FA affects the shared account contacts:

  • Adding account contact with already enabled 2FA on another account on the account without 2FA will result in account contact with 2FA enabled.
  • Adding account contact without 2FA enabled on the account with 2FA will result in account contact with 2FA enabled

When a shared account contact attempts to log into the Control Panel the compilation of the strongest password policies and 2FA policies of all accounts where this account contact is listed will be applied for authentication.

If the 2FA is disabled on the account with a shared account contact, the 2FA authentication will still be applied if 2FA is enabled on a different account of this shared account contact.

Is this answer helpful?

Haven't found what you're looking for? Search the Support Center!
Print Article
Article Information

Article ID: 12575

Last updated on: 06/04/2024 07:26 AM

Product: {{item.Name}}{{$index < (answer.Products.length-1) ? ', ' : ''}}

Partner Article

Tags: {{item.trim()}}{{$index < (answer.Keywords.length-1) ? ', ' : ''}}

Attachments:
Related Articles