DRACOON cloud status:

Now available:  Two-step authenticationLearn more

Articles in this section

Two-step authentication

  • Updated
Follow
 
 

Topics of this article

 What is two-step authentication in DRACOON?

  • Two-step authentication (also known as two-factor or multifactor authentication) increases security when users log in to DRACOON.
  • The increased security is achieved by requiring users to enter a 6-digit confirmation code generated on the respective user's mobile device (smartphone or tablet) in addition to their username and password in a second step each time they log in.
  • Since two-step authentication absolutely requires an additional physical object (the mobile device) for successful login, unauthorized login by other people using stolen credentials (username and password) alone is no longer possible.
  • The additional confirmation code - also called a one-time password - is generated by an authentication app (e.g. Google Authenticator or Microsoft Authenticator) installed on the user's mobile device, which was linked to the user's DRACOON account during the two-step authentication setup (by scanning a QR code with the app).
  • The confirmation code is time-bound - it changes every 30 seconds - and must be entered within this time window when logging in. This prevents a stolen confirmation code from being misused afterward - it would no longer work after 30 seconds.
  • Two-step authentication can be mandated by the configuration or user manager for all or only certain users. Otherwise, users can decide for themselves whether they want to use it.
  • By using an emergency access code, which they can obtain from the user manager if necessary, users can reset the two-step authentication - for example, if they want to use a new mobile device for authentication.

Restrictions when using two-step authentication

Please note the following restrictions before activating two-step authentication for users:

  • Users who use two-step authentication in DRACOON can no longer be authenticated via WebDAV to DRACOON (as an alternative to WebDAV, the more powerful DRACOON for Windows/Mac is recommended).
  • In addition, access to DRACOON with the user's account can no longer be fully automated (e.g. via script), since the authentication process requires manual user interaction with a mobile device.

Steps required before two-step authentication can be used

1 Enable two-step authentication

Two-step authentication is either mandated to the user by the configuration or user manager, or he activates it himself in his user account. in his user account.

 

2 Set up two-step authentication for using

The user sets up two-step authentication by logging in with the authentication app on his or her mobile device, scanning a QR code displayed by DRACOON, and then entering a confirmation code in DRACOON. The mobile device and the authentication app are thereby linked to the user's DRACOON account.

 

  Sign in to DRACOON using two-step authentication

Every time the user signs in to DRACOON, two-step authentication now takes effect: In addition to a username and password, the user must also enter a confirmation code, which is renewed in the authentication app on the user's mobile device every 30 seconds.

Enable two-step authentication

DRACOON provides three ways to enable two-step authentication for users:

  • Possibility 1: Require all users to use two-step authentication (DRACOON-wide policy).
  • Possibility 2: Only certain users are specified to have to use two-step authentication (user-specific policy)
  • Possibility 3: Users who are not given two-step authentication can decide for themselves whether to use it.

Who is allowed to enforce two-step authentication for all users?

Only users who have the role configuration manager. are allowed to impose two-step authentication on all users. to all users.

Note: If you specify two-step authentication to to all users, this applies to actually all users in your DRACOON environment, regardless of which authentication method they use (e.g. via Active Directory or DRACOON username) they use. - Exceptions for individual users are not possible.
This means also that WebDAV of all users of your DRACOON environment can no longer be used.
In addition, it is then no longer possible to create a specific user account fully automated (e.g. by script) to access DRACOON, because the authentication process requires a manual user interaction with a mobile with a mobile device is required.
Therefore, if you are not sure about this, do not give the two-step authentication to specific users rather than to all users. only to specific users (see option 2 below).
  1. In the DRACOON Web App, in the left sidebar, click Settings > Security.
  2. In the "Two-step user authentication" section, activate the switch Require two-step authentication for all users.

Who is allowed to specify two-step authentication for specific users as a default?

Only users who have the role user manager are allowed to specify two-step authentication for certain users.
This is only possible if two-step authentication has not already been made mandatory for all users by the configuration manager (option 1 above).

  1. In the DRACOON Web App, click in the left sidebar. on Settings.
  2. The user list will be displayed. Highlight the user, who must always use two-step authentication, and click in the right sidebar or context menu on. Edit User.

    If, on the other hand, you want to create a new user and two-step authentication, click in the right sidebar on the click in the right sidebar on Create user (the command is only visible, as long as you have not selected an existing user).

  3. Select the checkbox Two-step user authentication required.
  4. Click Save.

Who is allowed to enable two-step authentication for their user account?

Every DRACOON user can decide for himself if he wants to use the two-step authentication would like to use - except this became by the configuration manager for all users (possibility 1 above) or by the user manager for its user account (possibility 2 above) is mandatory.

  1. In the DRACOON Web App, click on your profile picture in the upper right corner. and then click Manage User Account in the menu.
  2. Click on the Security tab.
  3. In the "Two-step authentication" section, click on. the Enable button.
  4. The dialog box for setting up two-step authentication is displayed (see the next section).

Set up two-step authentication for use

.

If two-step authentication has been enabled for your user account, it must be set up once. This involves linking your mobile device (smartphone or tablet), on which a so-called authentication app (e.g. Google Authenticator) is installed, to your DRACOON user account.

If two-step authentication has been made mandatory for your user account, but not yet set up by you, you will receive the following notice when you log in to DRACOON:

Click Set up two-step authentication to begin the setup process.

The dialog box for setting up two-step authentication is displayed and consists of three steps:

  1. Install authentication app: If you do not have an authentication app on your mobile device do not have an authentication app installed yet, download one from the App Store (for iPhone) or Play Store (for Android). Well-known authentication apps include. Authy, Google Authenticator or Microsoft Authenticator. You can decide for yourself which one you want to use.
  2. Scan QR code: Launch on your mobile device. the installed authentication app, and use it to scan the QR code displayed in the dialog box "Set up two-step authentication" dialog box. If this is not possible, enter the secret key displayed under the QR code in the app. secret key displayed below the QR code.
  3. Enter confirmation code: In the authentication app. on your mobile device, a 6-digit confirmation code appears. You have 30 seconds to enter this confirmation code in the DRACOON dialog box in the 6-digit confirmation code field and click the Save button.

    If the 30 seconds have elapsed and you have not yet finished entering the code finished, a new confirmation code will be automatically displayed, which you must enter within 30 seconds.

  Your mobile device and the authentication app you are using are now associated with your DRACOON user account, and two-step authentication will be used from the next login to DRACOON.
You will receive a confirmation about this by email.

Sign in to DRACOON with two-step authentication

If you have set up the two-step authentication for your user account, you must not only enter your user name and password every time you log in to DRACOON, but in a second step an additional numerical code - the so-called "one-time password". This will be displayed in the authentication app linked to DRACOON on your mobile device and is valid for a limited time (30 seconds).

  1. To log in to DRACOON, first enter your username and your password, and click Login.
  2. On your mobile device, open the authentication app that you had used to set up with DRACOON. Depending on the app used, you must then select the desired user account in it (your DRACOON account).
  3. In the app, you will be given a confirmation code (also called "one-time password". - a 6-digit combination of numbers, this changes every 30 seconds). displayed. You have 30 seconds to enter the one-time password displayed in the app in DRACOON in the "Enter confirmation code" dialog box and click the Confirm button.

    If the 30 seconds have elapsed and you have not yet finished typing finished, the app will automatically display a new confirmation code, which you must enter within 30 seconds.

  If you have entered the confirmation code in a consistent and timely manner, you are now successfully logged into DRACOON and can access your there Data Rooms there.

Request emergency access code (in case of change/loss of mobile device or the authentication app)

When you set up two-step authentication, your user account was linked to your mobile device and a specific authentication app installed on it. This means that you will not be able to log in to DRACOON if you can no longer access it -  for example, because you get a new smartphone, lose your previous smartphone, or accidentally uninstall the authentication app you were using.

For these cases, DRACOON offers to reset the two-step authentication via a special emergency access code, which breaks the link to the previous mobile device and the previously used authentication app. After that, you can set up the two-step authentication again with the desired end device and app.

To prevent the two-step authentication from being fraudulently reset by an unauthorized other person and linked to their end device, you must request the emergency access code from your DRACOON user manager: 

  1. Tell your DRACOON user manager that you are no longer authenticated via the previous two-step authentication and can no longer access DRACOON (for example, because you have received a new smartphone) and that you need an emergency access code from him. Emergency access code required.
  2. When you have received the emergency access code from your user manager, click on the "Enter confirmation code" dialog box when you log in to DRACOON. click on the No access to device or app? link.
  3. The Use Emergency Access Code dialog box appears. Enter in it the emergency access code you have received, and click on Confirm.

    The emergency access code generated by the user manager is valid for 6 hours. If the code has expired in the meantime and is no longer accepted, ask your user manager for a new emergency access code.

  The two-step authentication has been reset, and you can now use it with your desired mobile device and authentication app. set it up again.

For user managers: Generate an emergency access code for a user (to reset the two-step authentication)

Security notice: If you are asked in writing by a user for an emergency access code, check with them personally to make sure they actually requested the code - someone else another person may have fraudulently impersonated the user to gain access to the emergency access code. impersonated the user to obtain the emergency access code.

  1. In the DRACOON Web App, click in the left sidebar Settings.
  2. The user list will be displayed. Highlight the user who needs an emergency access code. and click in the right sidebar or in the context menu click Create emergency access code.
  3. The emergency access code for the user is displayed and automatically copied to the clipboard.
    Example:
  4. Send the emergency access code to the user as soon as possible, as it can be can only be used for 6 hours.

Disable two-step authentication

If you no longer want to use two-step authentication for your user account, you can disable it again - but only if you had enabled it yourself and it was not mandatorily given to you by the configuration or user manager.

For security reasons, a confirmation code (one-time password) generated by the authentication app on your mobile device must also be entered to deactivate two-step authentication.

  1. In the DRACOON Web App, click on your profile picture in the top right corner, and then click in the menu on Manage user account.
  2. Click on the Security tab.
  3. In the "Two-step authentication" section, click the link. Disable.

    The Disable link cannot be clicked if you are not allowed to disable two-step authentication because it has been made mandatory.

  4. On your mobile device, open the authentication app that you had used to set up with DRACOON. Depending on the app used, you must then select the desired user account in it (your DRACOON account).
  5. In the authentication app on your mobile device appears a 6-digit Confirmation code (also called a "one-time password"). You have 30 seconds to, this confirmation code in the DRACOON dialog box in the field 6-digit confirmation code and click the button. Disable button:

    If the 30 seconds have elapsed and you are not yet finished with the input finished, a new confirmation code will be automatically displayed, which you must enter within 30 seconds.

  If you have entered the confirmation code in a consistent and timely manner, the two-step authentication for your DRACOON user account is disabled, and you will only need to enter your username and password to log in to DRACOON in the future. and your password.
You will receive a confirmation about it by email.

Disable the user default for mandatory use of two-step Authentication

  • If you are a DRACOON user manager and you want to require for certain users the No longer make the use of two-step authentication mandatory for certain users (by deselecting the check box. Two-step user authentication for the user in the user management), the user in question is free to decide whether he or she wants to continue authentication further on. Although the two-step authentication will remain remains active for the user after the default has been deactivated, but the user can however, deactivate it in his user account at any time thereafter.
  • Similarly, if you as a configuration manager for all DRACOON users. no longer require the use of two-step authentication (by disabling the default (by deactivating the switch. Require two-step authentication for all users under. Settings > Security), it is up to users are free to decide whether they want to continue using two-step authentication. want to.

    If you change the default to use two-step authentication for all users under Settings > Security, the default will be set for all DRACOON users - even with those, which the user manager had explicitly that they have to use the two-step authentication, even for those must use two-step authentication.

Related articles

Comments

0 comments

Article is closed for comments.