PARTNERS

Enforcing two-factor authentication (2FA) in GravityZone Cloud FAQ

Bitdefender is taking a step to further increase your protection with two-factor authentication (2FA) required for all GravityZone Cloud accounts starting April 12th, 2022.

Why we are changing the way you log in

Passwords are one of the most common targets to attackers. Using a second step to sign in makes your account more secure.

Two-factor authentication is a security feature that requires users to confirm their identity by entering a code sent to another device such as a mobile phone after signing in. This reduces the risk of account compromise, even if a password is stolen or cracked.

Two-factor authentication has been available in GravityZone for some time with many users taking advantage of it. From April 12th 2022, two-factor authentication will become mandatory for all GravityZone Cloud users.

Important

Bitdefender will not enforce two-factor authentication (2FA) to GravityZone accounts using single sign-on (SSO).

How two-factor authentication works

After you enter your password to log into GravityZoneControl Center, you need to enter a code from the authentication app configured as a second factor on your device. Bitdefender supports Google Authenticator, Microsoft Authenticator, or any two-factor TOTP (Time-Based One-Time Password Algorithm) compatible authenticator.

  • Learn how to download and install Google Authenticator here.

  • Learn how to download and install Microsoft Authenticator here.

  • Learn how to configure an authenticator on your computer here.

In GravityZone, you can enable it for your account and for any other accounts that you manage.

  • Learn how to enable two-factor authentication for your GravityZone account here.

  • Learn how to enable two-factor authentication for all GravityZone accounts in your company here.

  • Learn how to enable two-factor authentication for GravityZone companies that you manage here.

Important

  • Starting April 12th, GravityZone introduces the new option Remember this device that allows you skip entering the six-digit code every time you log in up to 90 days. Learn more in the GravityZone release notes.

  • In the current implementation (before April 12th), users can disable two-factor authentication. Bitdefender will remove this option when 2FA becomes mandatory.

Bitdefender supports Google Authenticator, Microsoft Authenticator, or any two-factor TOTP (Time-Based One-Time Password Algorithm) authenticator compatible with the standard RFC6238, that combines the secret key with the device’s current timestamp to generate the six-digit code. The authenticator can run on a smartphone or other device, such as a personal computer.

Please note that the timestamps on both the device and the GravityZone console must match for the six-digit code to be valid. To avoid any timestamp synchronization issues, we recommend enabling the automatic date and time setting on your device.

Two-factor authentication adds one more step, but it is usually fast and easy. Many other applications have implemented 2FA and you probably use it for some of your online accounts.

No. By default, you need to use two-factor authentication at every login, but starting April 12 you will have the new option Remember this device, which allows you to skip entering the six-digit code up to 90 days.

GravityZone administrators will be able to activate this option and specify the time period in GravityZone in the company authentication settings. After the interval expires, you will need to use your device once again. Learn more in the GravityZone release notes.

You will not be able to disable two-factor authentication after Bitdefender enforces it.

In case you erased your phone, you may reinstall the authentication app and add your account by using the QR code or the secret key that you have received when setting up two-factor authentication.

To prevent someone else from using your phone as a connecting device, contact your GravityZone administrator to reset your account login. After reset, you will be able to reconfigure two-factor authentication using your new device.

If two-factor authentication is enforced to your company, you need an authenticator to log in. In case you do not have your phone nearby, contact your GravityZone administrator to reset your account so that you can use another device to log in, including a computer.

We will make an announcement seven days before enforcing two-factor authentication on April 12th, 2022. If you already use two-factor authentication by then, the change will not affect you.

For GravityZone accounts that use an identity provider to log in, 2FA cannot be enabled and will not be enforced in GravityZone. Therefore, no actions are necessary for these accounts.

No. Two-factor authentication in GravityZone supports only login with a smartphone or another device compatible with a TOTP authenticator (for example, a computer).

As alternate solution, if you are a GravityZone administrator, you can enable single sign-on (SSO) for other accounts instead of using 2FA. Read more about SSO here. However, you cannot enable SSO for your own account and you still need to use 2FA.

After Bitdefender enforces two-factor authentication, the API calls that have previously set the parameter enforce2FA to false for createCompany and updateCompanyDetails methods will be automatically set to true. This change will not return an error message. This way we ensure backwards compatibility.

A new parameter, named skip2FAPeriod, will be available for createCompany and updateCompanyDetails methods. The new parameter is equivalent to the “remember this device” option and it allows setting a time interval in days (0, 1, 3, 7, 14, 30, 90) for skipping two-factor authentication for the entire company. The parameter skip2FAPeriod will be optional and will have the default value set to 0 (zero days, meaning disabled).

In case you do not have a smartphone, you can use your computer as second factor to log in to GravityZone. All you need is to run a TOTP (Time-Based One-Time Password Algorithm) authentication app that provides you the six-digit code required after entering your credentials. Here are the instructions for two such apps on Windows:

  • TOTP Manager

  • WinAuth

When configuring the authenticator, make sure you enable 2FA for your GravityZone account. You need the secret key (or the QR code) from the 2FA configuration page to set up the authenticator, which in turn provides the six-digit code to complete the process in GravityZone. For details on how to enable 2FA for your account, refer to Manage your account.

TOTP Manager

TOTP Manager is a authentication app available in Microsoft Store. To use it, make sure you have a Microsoft account and follow these steps:

  1. Connect to Microsoft Store with your Microsoft account.

  2. Search for TOTP Manager and click Get to install it on your computer.

  3. Click Open in Microsoft Store or run TOTP Manager directly from your computer.

  4. In the TOTP Manager interface, click +.

    img-01-totp.png
  5. In the configuration page, fill in the these fields:

    • For Account, enter your GravityZone username (in the format username@company).

    • For Secret, copy and paste the secret key displayed in the 2FA configuration page in GravityZone.

      Keep the secret key in a safe place for future use because it is essential for your access into GravityZone.

    • For Digits, select 6.

    • For Time Period, select 30 seconds.

    • For Algorithm, select SHA-1.

    img-02-totp.png
  6. Click Create! to generate the six-digit code.

WinAuth

This app is an open-source authenticator for Google, Microsoft, and several other services. You do not need a specific account to use it, just follow these steps:

  1. Download the ZIP file from here and extract its content.

    There is nothing to install, but only one executable file to run.

  2. Double-click WinAuth.exe.

    If you receive an error about missing .NET, make sure you have installed .NET Framework from here.

  3. In the WinAuth window, click Add.

  4. Choose Authenticator from the list.

    img-01-win-auth.png
  5. In the configuration window, at step 1, copy and paste the secret key displayed in the 2FA configuration page in GravityZone.

    Keep the secret key in a safe place for future use because it is essential for your access into GravityZone.

  6. At step 2, select the Time-based radio button.

  7. Click OK to generate the six-digit code and click OK one more time to save the authenticator.

    img-02-win-auth.png
  8. When asked how to protect your WinAuth authenticator, enter a password to encrypt it. You can also choose to encrypt the data so that the WinAuth file will be usable only on your computer and only by your account.

    Next time when you open WinAuth.exe you must enter the password you have configured at this step.

  9. Click OK to save your configuration.

  10. Now the WinAuth window displays your authenticator and the six-digit code for 30 seconds. When the time expires, click the Refresh icon to display a new code.

    img-04-winauth.png

Useful tips:

  • Right-click on the authenticator to change its name, view the secret key, or remove delete the authenticator.

  • Click the cog icon for settings. For example, select the option to display the authenticator always on top of other programs, which may be useful when logging in to GravityZone.

After configuring two-factor authentication for your account, log out from GravityZone and log in again. You have to enter your credentials and the six-digit code from the authentication app. Two-factor authentication will work the same way after becoming mandatory and you do not need to do anything else.

If for some reason you cannot use the authentication app to provide the six-digit code, configure another app using the same secret key that you have saved when enabling 2FA for your account.

If you cannot use the authentication app and you also have lost the secret key, contact your GravityZone administrator who has access to your account and ask for 2FA reset. After reset, when trying to log in to GravityZone, you will be prompted to reconfigure 2FA with a new secret key.