Two-factor authentication (2FA) is a dual security feature to authenticate users. The Cybersecurity & Infrastructure Security Agency (CISA) recommends enabling 2FA to protect your account if your login credentials are compromised. This article details the 2FA settings in OneView and how to reset 2FA if needed.
A mobile device with a camera and an authenticator app is needed to set up 2FA. Supported authenticator apps:
- Google Authenticator
- Authy
- 1Password
- Microsoft Authenticator
- Okta Verify
- Duo Mobile
- LastPass Authenticator
Require 2FA
Global Administrators can enable a global setting that requires all users to set up 2FA upon their next login. This ensures users are securing their accounts with 2FA.
- Go to Configure > Users.
- Click Two-factor authentication.
- Toggle on Require two-factor authentication for all users.
Manually enable 2FA
When the setting to require 2FA is disabled, users can set up 2FA in their profile settings. At the top right, click the display name > Profile. In the Security tab, toggle Enable Two-factor Authentication and follow the steps to set up 2FA.
2FA Recovery code
Global Administrators can enable a global setting that allows users to authenticate using a recovery code sent by email. This setting must be enabled in the console before using a recovery code. A recovery code is helpful in cases where a mobile device was lost or replaced. Enabling this setting could allow threat actors to bypass 2FA if the user's email account is compromised.
- Go to Configure > Users.
- Click the Two-factor authentication button.
- Toggle on Allow the recovery code to be sent via email.
Once the setting is enabled, users can request a recovery code.
Set recovery email address
After enabling the feature, each user with 2FA enabled is required to provide a recovery email address that belongs to a different domain than their OneView login email. This extra step is designed to provide an additional layer of security in case their login email is ever compromised.
Users are prompted to set a recovery address when logging in. If they didn't configure it during login or want to change it, they can manually set or update the recovery email address from the user profile menu. For more information, see 2FA recovery email.
Request a recovery code
- Go to the OneView login page.
- Enter the credentials to log in.
- Click Request recovery code.
- Check the email for the recovery code.
- Enter the recovery code in the verification screen and click Submit.
Reset 2FA
We recommend adding a second Global Administrator to OneView if the first Global Administrator has to reset 2FA. Resetting 2FA allows a user to disable 2FA in case they've replaced their mobile device or have issues logging into OneView. If the recovery code option is disabled and a user must reset 2FA, have another Global Administrator follow these steps.
- Click Configure > Users.
- Locate the user and click the ellipsis icon .
- Click Reset 2FA.
If there are no other admins to reset 2FA, contact Support.