Managing two-factor authentication for user accounts
By clicking a username in the Accounts page in GravityZone Control Center, you are able to check its two-factor authentication status (enabled or disabled) under the Login Security section and take certain actions on that account.
Note
On the Accounts page you revoke browsers, and reset and disable 2FA for other users, not for your own account. To revoke browsers or disable 2FA (if it is not mandatory) for your account, go to the Welcome, [username] > My Account page.
To reset 2FA for your account, contact your GravityZone administrator. You cannot reset 2FA for your account by yourself.
Revoke trust for browsers and reset or disable 2FA
The following actions are available for two-factor authentication:
Revoke all browsers. Use this option to revoke the trust of all browsers on all devices that skip the six-digit code when connecting to Control Center. After revoking, users who previously enabled the Trust this browser option on the GravityZone login page have to enter the authentication code again.
To revoke the trust of all browsers:
Enter your GravityZone password.
Click the Revoke all browsers button.
Confirm your action.
After revoking all browsers, the user need to enter the six-digit code again when connecting to GravityZone Control Center.
Reset or disable user's two-factor authentication. If a user with 2FA enabled has changed or wiped the device and lost the secret key, follow these steps:
Under Login Security, enter your GravityZone password in the corresponding field.
Click Reset 2FA (when 2FA is enforced) or Disable (when 2FA is not enforced).
A confirmation message will inform you that two-factor authentication has been reset or disabled for the user.
After resetting 2FA when this feature is enforced, at login, a configuration window will prompt the user to configure again the two-factor authentication with a new secret key. For details on how to enable 2FA, refer to Connecting to Control Center.
As GravityZone administrator, you can enforce 2FA and configure the interval for Control Center to trust the browsers used for logging in the Configuration > Miscellaneous page.
If the user has 2FA disabled and you want to activate it, you will need to ask the user to enable this feature from his account settings.
Note
If you have a company administrator account, you may make two-factor authentication mandatory for all GravityZone accounts. For more information, refer to Configure Control Center settings.
To check the 2FA changes related to user accounts, access the Accounts > User Activity page and filter the activity logs using the following filters:
Area: Accounts
Action: Edited
For information about 2FA for your account, refer to Manage your account.
Important
The authentication app of choice (Google Authenticator, Microsoft Authenticator, or any two-factor TOTP (Time-Based One-Time Password Algorithm) authenticator - compatible with the standard RFC6238 combines the secret key with the device’s current timestamp to generate the six-digit code.
Be aware that the time-stamps on both device and the GravityZone appliance have to match for the six-digit code to be valid. To avoid any time-stamps synchronization issue, we recommend enabling the automatic date and time setting on the device.
Enforce 2FA and configure interval for trusting browsers
In the Configuration > Miscellaneous page, you can enforce two-factor authentication and configure the interval for trusting browsers.
This is how you configure these settings:
Enforce two-factor authentication for all accounts. Enable this option to make 2FA mandatory for all GravityZone accounts. When logging in, users will be prompted to configure 2FA for their accounts and they will have to enter a six-digit code in addition to their credentials. Users can skip enabling 2FA only three times. At the fourth login attempt, they will not be able to connect to Control Center without two-factor authentication.
Users trust their devices. This option allows to trust the browsers used for connecting to Control Center. After enabling the Trust this browser check box on the login screen, users do not need to enter the six-digit code any longer until the interval expires.
The maximum interval you can select is 90 days. When the interval expires, users must enter the six-digit code in addition to their credentials. When selecting Never, browsers are not trusted and users cannot skip two-factor authentication.
