Two Factor Authentication (2FA)

Overview

Two-factor authentication (2FA) is a security feature designed to enhance the protection of user accounts by requiring two forms of verification. This document outlines the purpose, target audience, user interface, and administrative configurations related to the 2FA feature in your application.

Purpose of the Feature

The primary purpose of implementing Two-Factor Authentication (2FA) is to enhance security within the application. By requiring users to provide two forms of verification—typically something they know (like a password) and something they have (like a mobile device or security token)—2FA adds an extra layer of protection against unauthorized access. This significantly reduces the risk of account breaches, ensuring that sensitive data remains secure even if a user's password is compromised.

Target Audience

The 2FA feature is designed for the following groups of users:

• Regular Users: General users of the application who need to secure their accounts.

• Admin Users: Users with administrative roles who manage and oversee the system, requiring additional security due to their elevated privileges.

• Partner Users: External partners who interact with the system and need to ensure the security of their access to shared resources or sensitive data.

Specific Requirements

Authentication Methods

• Authenticator Apps: Users must use either the Microsoft Authenticator or Google Authenticator app.

• Time-Based One-Time Password (TOTP): The authenticator app generates a 6-digit code that changes every 30 seconds.

Technical Specifications

• TOTP Algorithm: The system supports the standard TOTP algorithm (RFC 6238) for generating time-based codes.

• Code Expiry: Each 6-digit code generated by the authenticator app expires after 30 seconds, after which a new code is generated.

• Third-Party Integration: The application integrates with Microsoft or Google Authenticator or other authenticator apps to facilitate the 2FA process.

• Backup Codes: Optionally, users may be provided with backup codes to use in case they lose access to their authenticator app.

User Interface Design

Once 2FA is enabled by the admin, all users are logged out for added protection. and they need to setup an authentication process for the first time.

1. Initial Login

• Description: The user first logs in using their username and password. Upon successful login, the user is prompted to proceed with the second step of authentication.

2. Setup Process

Scan QR Code:

• Description: Users download the Google / Microsoft Authenticator app from the Play Store or App Store, then scan the QR code shown during login. The QR code is shown only once. For future logins, users will enter the current 6-digit code from their authenticator app.

Enter 6-Digit Code:

• Description: The app generates a 6-digit code that refreshes every 30 seconds. Users must enter this code to log in. Enter a 6-digit code and click on the verify button. And you will login into the CRM.

3. 2FA Code Entry Screen

• Description: Once the 2FA setup is done by the user the next time onwards enter their credentials, the user is directed to a screen where they must enter the 6-digit code generated by their authenticator app.

4. 2FA Code Entry (Error State)

• Description: If the user enters an incorrect or expired code, an error message is displayed, prompting them to enter a new code.

5. 2FA Recovery Code Entry

• Description: If the user has lost access to their authenticator app, they can enter a one-time recovery code provided by the admin to bypass 2FA and reset it.

6. Successful Login with 2FA

• Description: After successfully entering the 2FA code, the user gains access to the application.

Administrative Configurations and Permissions

1. Accessing the 2FA Configuration

• Description: Administrators can access the 2FA settings from the Security section in the Admin Panel. This is where they can manage the activation and settings related to 2FA.

2. Enabling/Disabling 2FA

• Description: Admins can enable or disable 2FA for all users by checking or unchecking the box. After enabling Two-Factor Authentication (2FA), all users, including admins, must complete 2FA after verifying their email/username and password. Enabling 2FA logs out users once for added security. Upon re-login, they will see a QR code to set up 2FA with their authenticator app.

3. Resetting a User’s QR Code

• Description: Admins can reset a user’s QR code if the user needs to reconfigure their 2FA setup. This is done by selecting the user from a dropdown menu and clicking on "Reset QR Code."

4. Accessing a User’s Recovery Code

• Description: If a user has lost access to their authenticator app, the admin can provide a one-time recovery code. This code is generated and can be copied from the admin panel.

5. Viewing 2FA Status for Users

• Description: The admin panel also provides a view of the 2FA status for all users, showing who has verified their 2FA setup and who has not.

Potential Challenges and Best Practices

Challenges

1. Forgotten or Lost Device:

   • Users may forget or lose access to their devices with the authenticator app, making it difficult to log in.

2. Device Issues:

   • Users may face situations where their device is broken, stolen, or inaccessible.

Best Practices

1. One-Time Recovery Code:

   • If a user forgets or loses their device, they can request a one-time recovery code from the admin. This code will allow them to bypass 2FA for a single login and reset their 2FA setup.

2. 2FA Reset by Admin:

   • In cases where a user’s device is broken or they lose access to their authenticator app, the admin can reset the 2FA configuration from the admin panel. The user can then set up 2FA again using a new device.

3. Clear Communication and Guidance:

   • Provide users with clear instructions on how to set up and use 2FA, including what to do if they lose access to their device. Consider offering training or FAQs to help users understand the importance of 2FA and how to manage it effectively.