Two-Factor Authentication

enaio® 11.10 »

Two-factor authentication can be activated individually for each user.

Two-factor authentication is used when the user logs in to enaio® client, enaio® administrator, enaio® editor, enaio® capture, enaio® editor-for-workflow, and enaio® administrator-for-workflow.

If two-factor authentication is enabled for a user, this step takes place after the login process defined in the login settings in enaio® enterprise-manager.

Two-factor authentication for confirming subscriptions, for follow-ups, and for the forwarding of work items is not included in enaio® client. In addition, 2FA does not apply to confirmation requests via a script.

As a general rule, two-factor authentication should not be enabled for admin and technical users.

If two-factor authentication is enabled for a user, a QR code is shown to the user the first time he or she logs in after 2FA is activated. The user can scan this QR code to set up an account on a smartphone or tablet using a TOTP authenticator app installed on the device. A one-time 2FA password valid for 30 seconds is displayed in the account in the authenticator app. The user can log in with the user name and this one-time 2FA password.

He or she receives an e-mail to confirm that the account has been set up if an e-mail address is defined in the user data.

Managing Two-Factor Authentication

Two-factor authentication must be activated in enaio® enterprise-manager in order to be able to configure it in the user administration.

Two-factor authentication is activated for each user individually via the user administration in enaio® administrator:

  • Open the Security system window.
  • Click on the User administration tab.
  • Users for whom two-factor authentication has already been activated are flagged in the 2FA column.

  • Choose the users you wish to select and click Edit 2FA > Activate in the context menu.

  • Confirm the changes with OK.

If two-factor authentication is deactivated in enaio® enterprise-manager or for all users after having been previously activated, the login settings from enaio® enterprise-manager apply again.

If two-factor authentication is re-activated, users can log in to the authenticator app again using their existing account.

Removing a Key

enaio® stores a secret key for each user as part of two-factor authentication. The secret key of a user can be removed via the context menu on the User administration tab.

If two-factor authentication is activated after the secret key is removed, users will need to set up an account again using a QR code when logging into the authenticator app.

This step may be necessary if a user is unable to transfer the account when configuring a smartphone or tablet.

Account Name

The account name is preset to 'enaio' when the user sets up the account in the authenticator app. This preset can be changed by adding an entry to the as.cfg configuration file located in the \etc directory of the data directory:

[SYSTEM]
OTPISSUER=myenaio

Changes have no effect on existing accounts.

User Enters One-Time 2FA Password Incorrectly

The application closes if the user enters the one-time 2FA password incorrectly five times.

However, user accounts are never locked, even if the security level in enaio® enterprise-manager sets a lock.