DRACOON cloud status:

Now available:  Virus protectionLearn more

Articles in this section

Two-step authentication

  • Updated
Follow
 
 

Topics of this article

 What is two-step authentication in DRACOON?

  • Two-step authentication (also known as two-factor or multifactor authentication) increases security when users log in to DRACOON.
  • The increased security is achieved by requiring users to enter a 6-digit confirmation code generated on the respective user's mobile device (smartphone or tablet) in addition to their username and password in a second step each time they log in.
  • Since two-step authentication absolutely requires an additional physical object (the mobile device) for successful login, unauthorized login by other people using stolen credentials (username and password) alone is no longer possible.
  • The additional confirmation code - also called a one-time password - is generated by an authentication app (e.g. Google Authenticator or Microsoft Authenticator) installed on the user's mobile device, which was linked to the user's DRACOON account during the two-step authentication setup (by scanning a QR code with the app).
  • The confirmation code is time-bound - it changes every 30 seconds - and must be entered within this time window when logging in. This prevents a stolen confirmation code from being misused afterward - it would no longer work after 30 seconds.
  • Two-step authentication can be mandated by the configuration or user manager for all or only certain users. Otherwise, users can decide for themselves whether they want to use it.
  • By informing the user manager that you require a reset of our MFA configuration, users can have theirtwo-step authentication reset - for example, if they want to use a new mobile device for authentication.

Restrictions when using two-step authentication

Please note the following restrictions before activating two-step authentication for users:

  • Users who use two-step authentication in DRACOON can no longer be authenticated via WebDAV to DRACOON (as an alternative to WebDAV, the more powerful DRACOON for Windows/Mac is recommended).
  • In addition, access to DRACOON with the user's account can no longer be fully automated (e.g. via script), since the authentication process requires manual user interaction with a mobile device.

Steps required before two-step authentication can be used

1 Enable two-step authentication

Two-step authentication is either mandated to the user by the configuration or user manager, or he activates it himself in his user account. in his user account.

 

2 Set up two-step authentication for using

The user sets up two-step authentication by logging in with the authentication app on his or her mobile device, scanning a QR code displayed by DRACOON, and then entering a confirmation code in DRACOON. The mobile device and the authentication app are thereby linked to the user's DRACOON account.

 

  Sign in to DRACOON using two-step authentication

Every time the user signs in to DRACOON, two-step authentication now takes effect: In addition to a username and password, the user must also enter a confirmation code, which is renewed in the authentication app on the user's mobile device every 30 seconds.

Enable two-step authentication

DRACOON provides three ways to enable two-step authentication for users:

  • Possibility 1: Require all users to use two-step authentication (DRACOON-wide policy).
  • Possibility 2: Only certain users are specified to have to use two-step authentication (user-specific policy)
  • Possibility 3: Users who are not given two-step authentication can decide for themselves whether to use it.

Who is allowed to enforce two-step authentication for all users?

Only users who have the role configuration manager. are allowed to impose two-step authentication on all users. to all users.

Note: If you specify two-step authentication to to all users, this applies to actually all users in your DRACOON environment, regardless of which authentication method they use (e.g. via Active Directory or DRACOON username) they use. - Exceptions for individual users are not possible.
This means also that WebDAV of all users of your DRACOON environment can no longer be used.
In addition, it is then no longer possible to create a specific user account fully automated (e.g. by script) to access DRACOON, because the authentication process requires a manual user interaction with a mobile with a mobile device is required.
Therefore, if you are not sure about this, do not give the two-step authentication to specific users rather than to all users. only to specific users (see option 2 below).
  1. In the DRACOON Web App, in the left sidebar, click Settings > Security. 
  2. In the "Two-step user authentication" section, activate the switch Require two-step authentication for all users.
  3. You also have the option of selecting whether this function should apply to all users, only internal users or only external users (guest users). This is a mass operation that is applied to all selected user groups.

Who is allowed to specify two-step authentication for specific users as a default?

Only users who have the role user manager are allowed to specify two-step authentication for certain users.
This is only possible if two-step authentication has not already been made mandatory for all users by the configuration manager (option 1 above).

  1. In the DRACOON Web App, click in the left sidebar. on Settings.
  2. The user list will be displayed. Highlight the user, who must always use two-step authentication, and click in the right sidebar or context menu on. Edit User.

    If, on the other hand, you want to create a new user and two-step authentication, click in the right sidebar on the click in the right sidebar on Create user (the command is only visible, as long as you have not selected an existing user).

  3. Select the checkbox Two-step user authentication required.
  4. Click Save.

Who is allowed to enable two-step authentication for their user account?

Every DRACOON user can decide for himself if he wants to use the two-step authentication would like to use - except this became by the configuration manager for all users (possibility 1 above) or by the user manager for its user account (possibility 2 above) is mandatory.

  1. In the DRACOON Web App, click on your profile picture in the upper right corner. and then click Manage User Account in the menu.
  2. Click on the Security tab.
  3. In the "Two-step authentication" section, click on. the Enable button.
  4. The dialog box for setting up two-step authentication is displayed (see the next section).

Set up two-step authentication for use

.

If two-step authentication has been enabled for your user account, it must be set up once. This involves linking your mobile device (smartphone or tablet), on which a so-called authentication app (e.g. Google Authenticator) is installed, to your DRACOON user account.

If two-step authentication has been made mandatory for your user account, but not yet set up by you, you will receive the following notice when you log in to DRACOON:

Click Set up two-step authentication to begin the setup process.

The dialog box for setting up two-step authentication is displayed and consists of three steps:

  1. Install authentication app: If you do not have an authentication app on your mobile device do not have an authentication app installed yet, download one from the App Store (for iPhone) or Play Store (for Android). Well-known authentication apps include. Authy, Google Authenticator or Microsoft Authenticator. You can decide for yourself which one you want to use.
  2. Scan QR code: Launch on your mobile device. the installed authentication app, and use it to scan the QR code displayed in the dialog box "Set up two-step authentication" dialog box. If this is not possible, enter the secret key displayed under the QR code in the app. secret key displayed below the QR code.
  3. Enter confirmation code: In the authentication app. on your mobile device, a 6-digit confirmation code appears. You have 30 seconds to enter this confirmation code in the DRACOON dialog box in the 6-digit confirmation code field and click the Save button.

    If the 30 seconds have elapsed and you have not yet finished entering the code finished, a new confirmation code will be automatically displayed, which you must enter within 30 seconds.

  Your mobile device and the authentication app you are using are now associated with your DRACOON user account, and two-step authentication will be used from the next login to DRACOON.
You will receive a confirmation about this by email.

Sign in to DRACOON with two-step authentication

If you have set up the two-step authentication for your user account, you must not only enter your user name and password every time you log in to DRACOON, but in a second step an additional numerical code - the so-called "one-time password". This will be displayed in the authentication app linked to DRACOON on your mobile device and is valid for a limited time (30 seconds).

  1. To log in to DRACOON, first enter your username and your password, and click Login.
  2. On your mobile device, open the authentication app that you had used to set up with DRACOON. Depending on the app used, you must then select the desired user account in it (your DRACOON account).
  3. In the app, you will be given a confirmation code (also called "one-time password". - a 6-digit combination of numbers, this changes every 30 seconds). displayed. You have 30 seconds to enter the one-time password displayed in the app in DRACOON in the "Enter confirmation code" dialog box and click the Confirm button.

    If the 30 seconds have elapsed and you have not yet finished typing finished, the app will automatically display a new confirmation code, which you must enter within 30 seconds.

  If you have entered the confirmation code in a consistent and timely manner, you are now successfully logged into DRACOON and can access your there Data Rooms there.

Reset MFA (in case of change/loss of mobile device or the authentication app)

When you set up two-step authentication, your user account was linked to your mobile device and a specific authentication app installed on it. This means that you will not be able to log in to DRACOON if you can no longer access it -  for example, because you get a new smartphone, lose your previous smartphone, or accidentally uninstall the authentication app you were using.

For these cases, DRACOON offers to request a special reset of the MFA functionality from your user manager, which breaks the link to the previous mobile device and the previously used authentication app. After that, you can set up the two-step authentication again with the desired end device and app.

  1. Tell your DRACOON user manager that you are no longer authenticated via the previous two-step authentication and can no longer access DRACOON (for example, because you have received a new smartphone) and that you need a reset of your MFA Configuration from him.
  2. Once you have received information from your user manager that your MFA configuration has been reset, you can carry out a reconfiguration.. 

  The two-step authentication has been reset, and you can now use it with your desired mobile device and authentication app. set it up again.

For user managers: Generate an emergency access code for a user (to reset the two-step authentication)

Security notice: If you are asked in writing by a user for a reset, check with them personally to make sure they actually requested this - someone else another person may have fraudulently impersonated the user to gain access to the MFA configuration.

  1. In the DRACOON Web App, click in the left sidebar Settings.
  2. The user list is displayed. Select the user who requires a reset of the MFA and click on Reset two-step authentication in the right sidebar or in the context menu.
  3. The user is informed by e-mail that their MFA has been reset and can carry out a new configuration.

Disable two-step authentication

If you no longer want to use two-step authentication for your user account, you can disable it again - but only if you had enabled it yourself and it was not mandatorily given to you by the configuration or user manager.

For security reasons, a confirmation code (one-time password) generated by the authentication app on your mobile device must also be entered to deactivate two-step authentication.

  1. In the DRACOON Web App, click on your profile picture in the top right corner, and then click in the menu on Manage user account.
  2. Click on the Security tab.
  3. In the "Two-step authentication" section, click the link. Disable.

    The Disable link cannot be clicked if you are not allowed to disable two-step authentication because it has been made mandatory.

  4. On your mobile device, open the authentication app that you had used to set up with DRACOON. Depending on the app used, you must then select the desired user account in it (your DRACOON account).
  5. In the authentication app on your mobile device appears a 6-digit Confirmation code (also called a "one-time password"). You have 30 seconds to, this confirmation code in the DRACOON dialog box in the field 6-digit confirmation code and click the button. Disable button:

    If the 30 seconds have elapsed and you are not yet finished with the input finished, a new confirmation code will be automatically displayed, which you must enter within 30 seconds.

  If you have entered the confirmation code in a consistent and timely manner, the two-step authentication for your DRACOON user account is disabled, and you will only need to enter your username and password to log in to DRACOON in the future. and your password.
You will receive a confirmation about it by email.

Disable the user default for mandatory use of two-step Authentication

  • If you are a DRACOON user manager and you want to require for certain users the No longer make the use of two-step authentication mandatory for certain users (by deselecting the check box. Two-step user authentication for the user in the user management), the user in question is free to decide whether he or she wants to continue authentication further on. Although the two-step authentication will remain remains active for the user after the default has been deactivated, but the user can however, deactivate it in his user account at any time thereafter.
  • Similarly, if you as a configuration manager for all DRACOON users. no longer require the use of two-step authentication (by disabling the default (by deactivating the switch. Require two-step authentication for all users under. Settings > Security), it is up to users are free to decide whether they want to continue using two-step authentication. want to.

    If you change the default to use two-step authentication for all users under Settings > Security, the default will be set for all DRACOON users - even with those, which the user manager had explicitly that they have to use the two-step authentication, even for those must use two-step authentication.

Related articles

Comments

0 comments

Article is closed for comments.