Configuring two-factor authentication

Starting with Administration Server version 16.1, two-factor authentication is enabled automatically. The global option to disable two-factor authentication is not supported. This scenario provides steps to configure two-step authentication at first sign-in and configure two-factor authentication settings on Administration Server.

Stages

Configuring two-factor authentication proceeds in stages:

  1. Installing an authenticator app on a device

    You can install any application that supports the Time-Based One-Time Password algorithm (TOTP), such as:

    • Google Authenticator
    • Microsoft Authenticator
    • Bitrix24 OTP
    • Yandex ID
    • Avanpost Authenticator
    • Aladdin 2FA
    • Rutoken OTP

    To check if Kaspersky Security Center Linux supports the authenticator app that you want to use, enable two-factor authentication for all users or for a particular user.

    One of the steps suggests that you specify the security code generated by the authenticator app. If it succeeds, then Kaspersky Security Center Linux supports the selected authenticator.

    We strongly do not recommend installing the authenticator app on the same device from which Administration Server is managed.

  2. Synchronizing the time on the device with the authenticator app with the time of the device on which Administration Server is installed

    Ensure that the time on the device with the authenticator app and the time on the device with the Administration Server are synchronized to UTC. For better accuracy, we recommend using the same NTP servers throughout your infrastructure. Otherwise, failures may occur while configuring two-factor authentication.

  3. Configuring two-factor authentication for user accounts at sign-in to Web Console

    Sign-in to Web Console and configure two-factor authentication.

    If two-factor authentication configuration is not available to you, contact a user who has the Modify object ACLs right of the General features: User permissions functional area and configured two-factor authentication to add your account to the two-factor authentication allow list.

  4. Configuring two-factor authentication settings on Administration Server

    If you have configured two-factor authentication and the Modify object ACLs right of the General features: User permissions functional area, you can configure two-factor authentication settings on Administration Server as follows:

    1. Reviewing the list of users who can configure two-step authentication at sign-in
    2. Excluding user accounts for which you do not need to enable two-factor authentication (optional)

      Exclude user accounts from two-factor authentication to allow them to sign in to Administration Server even if they have not configured two-factor authentication. Excluding accounts from two-factor authentication may be necessary for integration accounts that cannot provide a security code during authentication. Integration accounts are used to run scripts through OpenAPI.

    3. Resetting or deleting a two-factor authentication secret key (optional)

      You can reset a two-factor authentication secret key when a user loses access to his or her two-factor authentication device, or needs to set up two-factor authentication on a new device. You can also reset a secret key for your own account.

      You can delete a secret key to completely block a user from signing in to Web Console and prevent the user from accessing Administration Server.

    4. Editing the name of a security code issuer (optional)

      If you have several Administration Servers with similar names, you may have to change the security code issuer names so there is better recognition of different Administration Servers.

Results

Upon completion of this scenario:

See also:

About two-factor authentication for an account

Excluding accounts from two-factor authentication
Page top