About two-step verification for an account

Kaspersky Single Management Platform provides two-step verification for users of KSMP Console. When two-step verification is enabled for your own account, every time you log in to KSMP Console, you enter your user name, password, and an additional single-use security code. To receive a single-use security code, you must have an authenticator application on your computer or your mobile device.

A security code has an identifier referred to as issuer name. The security code issuer name is used as an identifier of the Administration Server in the authenticator application. You can change the name of the security code issuer name. The security code issuer name has a default value that is the same as the name of the Administration Server. The issuer name is used as an identifier of the Administration Server in the authenticator application. If you change the security code issuer name, you must issue a new secret key and pass it to the authenticator application. A security code is single-use and valid for up to 90 seconds (the exact time may vary).

Any user for whom two-step verification is enabled can reissue his or her own secret key. When a user authenticates with the reissued secret key and uses it for logging in, Administration Server saves the new secret key for the user account. If the user enters the new secret key incorrectly, Administration Server does not save the new secret key and leaves the current secret key valid for the further authentication.

Any authentication software that supports the Time-based One-time Password algorithm (TOTP) can be used as an authenticator application, for example, Google Authenticator. In order to generate the security code, you must synchronize the time set in the authenticator application with the time set for Administration Server.

To check if Kaspersky Single Management Platform supports the authenticator application that you want to use, enable two-step verification for all users or for a particular user.

One of the steps suggests that you specify the security code generated by the authenticator application. If it succeeds, then Kaspersky Single Management Platform supports the selected authenticator.

An authenticator application generates the security code as follows:

Administration Server generates a special secret key and QR code.
You pass the generated secret key or QR code to the authenticator application.
The authenticator application generates a single-use security code that you pass to the authentication window of Administration Server.

We highly recommend that you install an authenticator application on more than one device. Save the secret key (or QR code) and keep it in a safe place. This will help you to restore access to KSMP Console in case you lose access to your mobile device.

To secure the usage of Kaspersky Single Management Platform, you can enable two-step verification for your own account and enable two-step verification for all users.

You can exclude accounts from two-step verification. This can be necessary for service accounts that cannot receive a security code for authentication.

Two-step verification works according to the following rules:

Only a user account that has the Modify object ACLs right in the General features: User permissions functional area can enable two-step verification for all users.
Only a user that enabled two-step verification for his or her own account can enable the option of two-step verification for all users.
Only a user that enabled two-step verification for his or her own account can exclude other user accounts from the list of two-step verification enabled for all users.
A user can enable two-step verification only for his or her own account.
A user account that has the Modify object ACLs right in the General features: User permissions functional area and is logged in to KSMP Console by using two-step verification can disable two-step verification: for any other user only if two-step verification for all users is disabled, for a user excluded from the list of two-step verification that is enabled for all users.
Any user that logged in to KSMP Console by using two-step verification can reissue his or her own secret key.
You can enable the two-step verification for all users option for the Administration Server you are currently working with. If you enable this option on the Administration Server, you also enable this option for the user accounts of its virtual Administration Servers and do not enable two-step verification for the user accounts of the secondary Administration Servers.