Cloud
Enabling 2FA
Note that each user has to set up their own 2FA (unless SSO is enabled, see the Disabling 2FA Enforcement for All Users section below). An admin cannot set up the 2FA for other users.
On Cloud deployments, 2FA is always enforced. If you don't already have 2FA set up on your account, you will be redirected automatically to the 2FA set up page:
1. Open your 2FA app such as Google Authenticator on your 2FA device (e.g. your mobile phone). Scan the QR code displayed on the screen (on Google Authenticator, you can do so by tapping the + button and then selecting the Scan a QR code option). The site will be added to your authenticator app and you will start to see the time-based code displayed under your instance and email address (e.g., acmeco:[email protected]
).
You can also click the Enter key manually link to enter the key manually in the authenticator app.
2. Enter the time-based code from Google Authenticator into the second field, Enter 6-digit code... field.
3. Enter your password into the third field.
4. You will see a "Time left" count down that shows how much time you have to set up the 2FA. After the time is expired, you will be logged out.
The time left value is taken from the Settings > Security > IDLE TIMEOUT field:
If the timeout is expired and the user hasn't set up the 2FA, they will be logged out. The event will be recorded in the System > System Log and the BI Reports > Audit reports as a Logout/Time left event:
5. Press the Continue button. You will be taken to another screen:
6. Copy/save your recovery code in a secure place. If you lose your device, you can use this one time code to log into your account.
7. Click the checkmark in front of the acknowledgement text.
8. Click the Return back to the Dashboard button to return to your Teramind Dashboard.
If you are using a Cloud trial, the 2FA will be enforced from the next day (after the instance is created). You will not have the 2FA on your first login.
9. Next time you log in, you will be shown the 2FA screen. Enter the code from your 2FA authentication app.
Usually the authenticator app generates a new code every 30 seconds. If a code is expired you will see an error. Enter a new code to continue.
10. You can enable the Trust this device for 15 days option to skip the above step for 15 days.
11. Press Enter or click the tick-mark button to log in.
Disabling 2FA
1. From your Teramind Dashboard, click your user name near the top-right corner.
2. Select My profile from the pop-up menu.
3. Select the AUTHENTICATION tab from the My profile window.
4. If 2FA is enabled, you will see a DISABLE button. Click that button. You might be prompted to confirm with your password/2FA Code/LDAP Password. Once you confirm, 2FA will be disabled from your account.
Disabling 2FA Enforcement for All Users
You can disable the 2FA enforcement for all users if you enable the Single Sign On (SSO) authentication. You can configure them on the Settings > Security screen under the Dashboard authentication section:
If you disable the SINGLE-SIGN-ON AUTHENTICATION and enable the BASIC USER/PASSWORD AUTHENTICATION then FORCE USERS TO LOG IN USING 2-FACTOR AUTHENTICATION will be automatically enabled.
On-Premise
Enabling 2FA
Note that each user has to set up their own 2FA. An admin cannot set up the 2FA for other users.
1. From your Teramind Dashboard, click your user name near the top-right corner.
2. Select My profile from the pop-up menu.
3. Select the AUTHENTICATION tab from the My profile window.
4. If 2FA is disabled, you will see an ENABLE button under 2-Factor authentication via Authenticator app. Click that button. A new window/tab will open:
5. Open your 2FA app such as Google Authenticator on your 2FA device (e.g. your mobile phone). Scan the QR code displayed on the screen (on Google Authenticator, you can do so by tapping the + button and then selecting the Scan a QR code option). The site will be added to your authenticator app and you will start to see the time-based code displayed under your instance and email address (e.g., acmeco:[email protected]
).
You can also click the Enter key manually link to enter the key manually in the authenticator app.
6. Enter the time-based code from Google Authenticator into the second field, Enter 6-digit code... field.
7. Enter your password into the third field.
8. You will see a "Time left" count down that shows how much time you have to set up the 2FA. After the time is expired, you will be logged out.
The time left value is taken from the Settings > Security > IDLE TIMEOUT field:
If the timeout is expired and the user hasn't set up the 2FA, they will be logged out. The event will be recorded in the System > System Log and the BI Reports > Audit reports as a Logout/Time left event:
9. Press the Continue button. You will be taken to another screen:
10. Copy/save your recovery code in a secure place. If you lose your device, you can use this one time code to log into your account.
11. Click the checkmark in front of the acknowledgement text.
12. Click the Return back to the Dashboard button to return to your Teramind Dashboard.
13. Click the AUTHENTICATION tab on the My profile window.
14. Click the APPLY CHANGES button on the My profile window to activate 2FA.
15. Next time you log in, you will be shown the 2FA screen. Enter the code from your 2FA authentication app.
Usually the authenticator app generates a new code every 30 seconds. If a code is expired you will see an error. Enter a new code to continue.
16. You can enable the Trust this device for 15 days option to skip the above step for 15 days.
17. Press Enter or click the tick-mark button to log in.
Disabling 2FA
1. From your Teramind Dashboard, click your user name near the top-right corner.
2. Select My profile from the pop-up menu.
3. Select the AUTHENTICATION tab from the My profile window.
4. If 2FA is enabled, you will see a DISABLE button under 2-Factor authentication via Authenticator app. Click that button. You might be prompted to confirm with your password/2FA Code/LDAP Password. Once you confirm, 2FA will be disabled from your account.
Enabling/Disabling 2FA Authentication via the Email
You will need to log into the account using a 2FA auth code via an authenticator app before you can enable the email-based 2FA authentication.
Enabling Email-Based 2FA
1. Click the Gear icon near the top-right corner of the dashboard.
2. Select Settings.
3. Select Security from the left tabs.
4. Enable the ENABLE MFA VIA EMAIL option.
5. Click the SAVE button.
6. From your Teramind Dashboard, click your user name near the top-right corner.
7. Select My profile from the pop-up menu.
8. Select the AUTHENTICATION tab from the My profile window.
9. Click the ENABLE button under 2-Factor authentication via Email. You will be sent the 2FA code to your email address:
Then, a new window will open:
10. Enter the code in the 2FA field. Note that first time you set up the email 2FA, it might take some time (up to a few minutes) for the 2FA code to be sent.
11. If you didn't receive the 2FA code after waiting for a few minutes, click the Resend Code link to send the code again.
12. Click the Continue button to go back to the dashboard.
Next time you login, you will see an option to choose the Email 2FA option:
If you see a Expired 2F Code error, it means you took too long to enter the 2FA code and it's now expired. Click the Resend Code link to get a new code. Note that The code sent to the email is valid for 2 minutes only and the Resend Code button will not send another email until that current code expires.
Disabling Email-Based 2FA
1. From your Teramind Dashboard, click your user name near the top-right corner.
2. Select My profile from the pop-up menu.
3. Select the AUTHENTICATION tab from the My profile window.
4. If Email 2FA is enabled, you will see a DISABLE button under 2-Factor authentication via Email. Click that button.
5. Click the APPLY CHANGES button.
Resetting/Recovering the 2FA
1. From the 2-Factor Authentication screen, click the Authenticator App button. You will be asked to enter code from the authenticator app:
2. Click the Lost your authentication device? link. You will be taken to the 2FA Recovery screen:
3. Enter the recovery code and press Enter or click the tick-mark button.
If you have lost your recovery code, please contact our support team: [email protected].