About two-factor authentication for an account
Kaspersky Security Center Linux provides two-factor authentication for users of Kaspersky Security Center Web Console. Two-factor authentication is based on the RFC 6238 standard (TOTP: Time-Based One-Time Password algorithm).
Every time you log in to Kaspersky Security Center Web Console, you enter your user name, password, and an additional one-time security code. To receive a one-time security code, you must have an authenticator app on the mobile device or computer.
Any authentication software that supports the Time-Based One-Time Password algorithm (TOTP) can be used as an authenticator app, for example, Google Authenticator. In order to generate the one-time security code, you must synchronize the time set on the device with the authenticator app with the time set on the Administration Server device. For better accuracy, we recommend using the same NTP servers throughout your infrastructure.
To check if Kaspersky Security Center Linux supports the authenticator app that you want to use, try configuring two-factor authentication with this authenticator app.
One of the steps suggests that you specify the one-time security code generated by the authenticator app. If it succeeds, then Kaspersky Security Center Linux supports the selected authenticator.
Generating a secret code by using an authentication app
An authenticator app generates the security code as follows:
- Administration Server generates a special secret key and QR code.
- You pass the generated secret key or QR code to the authenticator app.
- The authenticator app generates a single-use security code that you pass to the authentication window of Administration Server.
A security code has an identifier referred to as issuer name. The security code issuer name is used as an identifier of the Administration Server in the authenticator app. You can change the name of the security code issuer name. The security code issuer name has a default value that is the same as the name of the Administration Server. A new security code issuer name is assigned to Administration Server after the next signing-in. A security code is single-use and valid for up to 30 seconds (the exact time may vary).
We highly recommend that you save the secret key (or QR code) and keep it in a safe place. This will help you to restore access to Kaspersky Security Center Web Console in case you lose access to the device with the authenticator app.
Two-factor authentication has the following features:
- Starting with Administration Server version 16.1, two-factor authentication is enabled automatically and the option to configure two-factor authentication at sign-in is disabled by default. Configuring two-factor authentication at sign-in is available only to users who are included in the two-factor authentication allowlist.
- A user can configure two-factor authentication only for his or her own account.
- A user can exclude accounts from two-factor authentication. This can be necessary for integration accounts that cannot receive a one-time security code for authentication. Integration accounts are used to run scripts through OpenAPI.
- To regenerate a two-factor authentication secret key, a user must reset the secret key for his or her own account.
- To reset or delete a two-factor authentication secret key for account of another user, a user must have an account with configured two-factor authentication and with the Modify object ACLs right in the General features: User permissions functional area.
- To exclude accounts of other users from two-factor authentication or modify the two-factor authentication allowlist, a user must have an account with configured two-factor authentication and with the Modify object ACLs right in the General features: User permissions functional area.
- Two-factor authentication is enabled automatically only for Administration Server version 16.1. If other primary or secondary Administration Servers are running version 16 or earlier, their two-factor authentication settings will remain unchanged.
- A virtual Administration Server inherits two-factor authentication settings from the physical Administration Server so that if two-factor authentication is enabled on the physical Administration Server, it is also enabled on a virtual Administration Server. You cannot configure two-factor authentication settings on a virtual Administration Server.
- For two-factor authentication to function correctly, you need to upgrade the Administration Server and Web Console to version 16.1 or later.
To ensure comprehensive protection by using two-factor authentication, it is necessary to secure not only Administration Server but also the device on which it is installed. To do this, consider the Hardening guide recommendations.
Page top