Two-factor authentication (2FA) is a dual security method to authenticate users. The Cybersecurity & Infrastructure Security Agency (CISA) recommends enabling 2FA to protect your account in case your login credentials are compromised. This article goes over the 2FA settings and how to reset 2FA if needed.
A mobile device with a camera and an authenticator app installed is needed to set up 2FA. Supported authenticator apps:
- Google Authenticator
- Authy
- 1Password
- Microsoft Authenticator
- Okta Verify
- Duo Mobile
- LastPass Authenticator
Require 2FA
Super Admins can enable a global setting that requires all users to use 2FA when logging in to Nebula. This ensures users are protecting their accounts with 2FA.
- Go to Configure > Users.
- Click the Two-factor authentication button.
- Toggle on Require two-factor authentication for all users.
Manually enable 2FA
When the setting to require 2FA is disabled, users can manually set up 2FA in their profile settings. At the top right, click the display name > Profile. In the Security tab, toggle on Two-factor Authentication and follow the instructions to set up 2FA.
2FA Recovery code
Super Admins can enable a global setting that allows users to authenticate with a recovery code sent by email. However, this setting must be enabled and configured prior to the need to use a recovery code.
A recovery code is useful in cases where a mobile device has been lost or replaced. Keep in mind that enabling this setting may pose a security risk, as it allows a threat actor to bypass 2FA in case of an email account's compromise.
To enable this feature, a Super Admin must:
- Go to Configure > Users.
- Click the Two-factor authentication button.
- Toggle on Allow the recovery code to be sent via email.
Set recovery email address
After enabling the feature, each user with 2FA enabled is required to provide a recovery email address that belongs to a different domain than their Nebula login email. This extra step is designed to provide an additional layer of security in case their login email is ever compromised.
Users are prompted to set a recovery address when logging in. If they didn't configure it during login or want to change it, they can manually set or update the recovery email address from the user profile menu. For more information, see 2FA recovery email.
Request a recovery code
Once the setting is enabled and a recovery email is added, a user can request a recovery code.
- Go to the Nebula login page.
- Enter a Nebula email address and password.
- Click Try another way.
- Click Send.
- Check the email for the recovery code.
- Enter the recovery code in the verification screen and click Submit.
Reset 2FA
We recommend having a second Super Admin in Nebula in case you ever need to reset 2FA. Resetting 2FA allows a user to disable 2FA in case they've replaced their mobile device or have issues logging into Nebula. If the recovery code option is disabled and need to reset 2FA, have another Super Admin follow these steps.
- Click Configure > Users.
- Click Reset next to the user who needs their 2FA reset.
- In the confirmation window, click Reset 2FA.
If there are no other Super Admins to reset 2FA, contact Support.