[Tietoevry DevOps Space manual] All Content FeedConfluence Syndication Feedhttps://wiki.tds.tieto.comMulti factor authenticationJoanna Dumatag:wiki.tds.tieto.com,2009:page-80413646-162024-03-25T18:57:25Z2021-11-20T13:34:19Z<div class="feed"> <p>
Page
<b>edited</b> by
<a href=" https://wiki.tds.tieto.com/display/~piechjoa
">Joanna Duma</a>
</p>
<div style="border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; padding: 10px;">
<p><style type='text/css'>/*<![CDATA[*/
div.rbtoc1711703787555 {padding: 0px;}
div.rbtoc1711703787555 ul {margin-left: 0px;}
div.rbtoc1711703787555 li {margin-left: 0px;padding-left: 0px;}
/*]]>*/</style><div class='toc-macro rbtoc1711703787555'>
<ul class='toc-indentation'>
<li><a href='#Multifactorauthentication-Introduction'>Introduction</a></li>
<li><a href='#Multifactorauthentication-EnablingMFA'>Enabling MFA</a>
<ul class='toc-indentation'>
<li><a href='#Multifactorauthentication-Forspecificuser'>For specific user</a></li>
<li><a href='#Multifactorauthentication-Forarea/project'>For area/project</a></li>
</ul>
</li>
<li><a href='#Multifactorauthentication-OTPtokenreset/enable'>OTP token reset/enable</a></li>
<li><a href='#Multifactorauthentication-OTPtokenconfiguration'>OTP token configuration</a></li>
<li><a href='#Multifactorauthentication-Troubleshooting'>Troubleshooting</a>
<ul class='toc-indentation'>
<li><a href='#Multifactorauthentication-Onetimecodeisnotaccepted'>One time code is not accepted</a></li>
</ul>
</li>
</ul>
</div></p><h1 id="Multifactorauthentication-Introduction">Introduction</h1><p>TDS platform is utilizing SSO solution based on Keycloak. That is usually standalone and users can use basic authentication procedure using username and password or multi factor authentication (MFA) with time based OTP token.</p><h1 id="Multifactorauthentication-EnablingMFA">Enabling MFA</h1><h2 id="Multifactorauthentication-Forspecificuser">For specific user</h2><p>MFA can be enabled by user via user profile on portal or via OTP token reset from TDS SSO login page.</p><ul><li>Go to User profile</li><li>Enable <em>Enable Multi-factor Authentication (MFA) </em>feature</li></ul><h2 id="Multifactorauthentication-Forarea/project">For area/project</h2><p>Following steps will enable Multi Factor authentication on area/project level. Members of area/project will be required to set up TDS OTP tokens during next sign-in using TDS password or AzureAD/ADFS integration unless they already use MFA in TDS. TDS OTP token is then required every time when signing in using TDS password.</p><ul><li>Go to Area/Project configuration</li><li>Enable <em>Enforce MFA for all area/project members</em> feature</li></ul><p>Customers using <a href="https://wiki.tds.tieto.com/display/TDSKB/Single+sign+on+-+SSO#SinglesignonSSO-AzureADorADFSauthentication">AzureAD/ADFS integration</a> only configure OTP token if they do not have it. They are not required to use TDS OTP token for sign in as they already utilize MFA capable SSO integration.</p><h1 id="Multifactorauthentication-OTPtokenreset/enable">OTP token reset/enable</h1><ul><li>Go to TDS Portal login screen</li><li>Click on <em>Reset or enable OTP token for TDS Multi Factor Authentication (MFA)</em></li></ul><h1 id="Multifactorauthentication-OTPtokenconfiguration">OTP token configuration</h1><p>Following steps need to be executed during the first login with MFA enabled or after resetting your OTP token.</p><ol><li>Install time based OTP tokens capable application. One of the following applications is recommended:<ul><li>Browser extensions<ul><li>Chrome<ul><li><a href="https://chrome.google.com/webstore/detail/authenticator/bhghoamapcdpbohphigoooaddinpkbai" class="external-link" rel="nofollow">Authenticator by authenticator.cc</a></li></ul></li><li>Edge<ul><li><a href="https://microsoftedge.microsoft.com/addons/detail/authenticator-2fa-client/ocglkepbibnalbgmbachknglpdipeoio" class="external-link" rel="nofollow">Authenticator: 2FA Client by mymindstorm</a></li></ul></li><li>Firefox<ul><li><a href="https://addons.mozilla.org/en-US/firefox/addon/auth-helper/?src=external-website" class="external-link" rel="nofollow">Authenticator by mymindstorm</a></li></ul></li></ul></li><li> Android<ul><li><a href="https://play.google.com/store/apps/details?id=com.azure.authenticator" class="external-link" rel="nofollow">Microsoft Authenticator</a> <span><span class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak"><span class="confluence-embedded-file-wrapper confluence-embedded-manual-size"><img class="confluence-embedded-image confluence-external-resource" draggable="false" width="20" src="https://statics.teams.cdn.office.net/evergreen-assets/personal-expressions/v2/assets/emoticons/target/default/30_f.png?v=v22" data-image-src="https://statics.teams.cdn.office.net/evergreen-assets/personal-expressions/v2/assets/emoticons/target/default/30_f.png?v=v22"></span></span></span>Recommended for Tietoevry users</li><li><a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2" class="external-link" rel="nofollow">Google Authenticator</a></li><li><a href="https://play.google.com/store/apps/details?id=com.authy.authy" class="external-link" rel="nofollow">Twilio Authy 2-Factor Authentication</a></li><li><a href="https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp" class="external-link" rel="nofollow">FreeOTP Authenticator</a></li></ul></li><li>iOS<ul><li><a href="https://apps.apple.com/us/app/microsoft-authenticator/id983156458" class="external-link" rel="nofollow">Microsoft Authenticator</a> <span><span class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak"><span class="confluence-embedded-file-wrapper confluence-embedded-manual-size"><img class="confluence-embedded-image confluence-external-resource" draggable="false" width="20" src="https://statics.teams.cdn.office.net/evergreen-assets/personal-expressions/v2/assets/emoticons/target/default/30_f.png?v=v22" data-image-src="https://statics.teams.cdn.office.net/evergreen-assets/personal-expressions/v2/assets/emoticons/target/default/30_f.png?v=v22"></span></span></span>Recommended for Tietoevry users</li><li><a href="https://apps.apple.com/app/google-authenticator/id388497605" class="external-link" rel="nofollow">Google Authenticator</a></li><li><a href="https://apps.apple.com/us/app/twilio-authy/id494168017" class="external-link" rel="nofollow">Twilio Authy by Authy Inc.</a></li><li><a href="https://apps.apple.com/cz/app/authenticator/id766157276?l=cs" class="external-link" rel="nofollow">Authenticator by Matt Rubin</a></li></ul></li><li> Windows<ul><li><a href="https://winauth.github.io/winauth/" class="external-link" rel="nofollow">WinAuth</a></li></ul></li><li>Password Managers<ul><li><a href="https://bitwarden.com/help/authenticator-keys/" class="external-link" rel="nofollow">Bitwarden</a></li><li><a href="https://support.1password.com/one-time-passwords/" class="external-link" rel="nofollow">1Password</a></li></ul></li></ul></li><li>Open the application and scan the QR code displayed<ol><li>Key code may be used in case of inability to scan the QR code. Click on <em>Unable to scan? </em>to get the key.</li></ol></li><li>Enter the one-time code provided by the application and click submit to finish the setup. </li></ol><p><br/></p><div class="confluence-information-macro confluence-information-macro-information"><span class="aui-icon aui-icon-small aui-iconfont-info confluence-information-macro-icon"></span><div class="confluence-information-macro-body"><p>OTP token is always provided only once. It is either QR code or code visible under <em>Unable to scan?</em> button. In case of the OTP token loss, use TDS OTP token reset functionality available on TDS SSO login page - see <em>OTP token reset/enable</em> section</p></div></div><h1 class="auto-cursor-target" id="Multifactorauthentication-Troubleshooting">Troubleshooting</h1><h3 id="Multifactorauthentication-Onetimecodeisnotaccepted">One time code is not accepted</h3><p>Possible reasons and solutions:</p><ul style="list-style-type: square;"><li>in case of device change or application/plugin change for OTP tokens<ul style="list-style-type: square;"><li>Solution - go back to log in screen and reset OTP token from there - see <em>OTP token reset/enable</em> section</li></ul></li><li>date/time could be out of sync on the device generating one time codes<ul style="list-style-type: square;"><li>Solution - make sure device or application/plugin has time in sync<ul style="list-style-type: square;"><li>Google Authenticator - tap on hamburger menu (⋮) in the top right corner > Settings > Time correction for codes > Sync now.</li></ul></li></ul></li><li>if OTP does not work after time sync<ul style="list-style-type: square;"><li>Solution - go back to log in screen and reset OTP token from there - see <em>OTP token reset/enable</em> section</li></ul></li></ul>
</div>
<div style="padding: 10px 0;">
<a href="https://wiki.tds.tieto.com/display/TDSKB/Multi+factor+authentication">View Online</a>
·
<a href="https://wiki.tds.tieto.com/pages/diffpagesbyversion.action?pageId=80413646&revisedVersion=16&originalVersion=15">View Changes Online</a>
</div>
</div>Joanna Duma2021-11-20T13:34:19Z