About two-step verification

April 17, 2023

ID 211333

Kaspersky Security Center provides two-step verification for users of Kaspersky Security Center 13.2 Web Console. When two-step verification is enabled for your own account, every time you log in to Kaspersky Security Center 13.2 Web Console, you enter your user name, password, and an additional single-use security code. If you use domain authentication for your account, you only have to enter an additional single-use security code. To receive a single-use security code, you must have an authenticator application on your computer or your mobile device.

A security code has an identifier referred to as issuer name. The security code issuer name is used as an identifier of the Administration Server in the authenticator application. You can change the name of the security code issuer name. The security code issuer name has a default value that is the same as the name of the Administration Server. The issuer name is used as an identifier of the Administration Server in the authenticator application. If you change the security code issuer name, you must issue a new secret key and pass it to the authenticator application. A security code is single-use and valid for up to 90 seconds (the exact time may vary).

Any user for whom two-step verification is enabled can reissue his or her own secret key. When a user authenticates with the reissued secret key and uses it for logging in, Administration Server saves the new secret key for the user account. If the user enters the new secret key incorrectly, Administration Server does not save the new secret key and leaves the current secret key valid for the further authentication.

Any authentication software that supports the Time-based One-time Password algorithm (TOTP) can be used as an authenticator application, for example, Google Authenticator. In order to generate the security code, you must synchronize the time set in the authenticator application with the time set for Administration Server.

An authenticator application generates the security code as follows:

  1. Administration Server generates a special secret key and QR code.
  2. You pass the generated secret key or QR code to the authenticator application.
  3. The authenticator application generates a single-use security code that you pass to the authentication window of Administration Server.

We highly recommend that you install an authenticator application on more than one device. Save the secret key (or QR code) and keep it in a safe place. This will help you to restore access to Kaspersky Security Center 13.2 Web Console in case you lose access to your mobile device.

To secure the usage of Kaspersky Security Center, you can enable two-step verification for your own account and enable two-step verification for all users.

You can exclude accounts from two-step verification. This can be necessary for service accounts that cannot receive a security code for authentication.

Two-step verification works according to the following rules:

  • Only a user account that has the Modify object ACLs right in the General features: User permissions functional area can enable two-step verification for all users.
  • Only a user that enabled two-step verification for his or her own account can enable the option of two-step verification for all users.
  • Only a user that enabled two-step verification for his or her own account can exclude other user accounts from the list of two-step verification enabled for all users.
  • A user can enable two-step verification only for his or her own account.
  • A user account that has the Modify object ACLs right in the General features: User permissions functional area and is logged in to Kaspersky Security Center 13.2 Web Console by using two-step verification can disable two-step verification: for any other user only if two-step verification for all users is disabled, for a user excluded from the list of two-step verification that is enabled for all users.
  • Any user that logged in to Kaspersky Security Center 13.2 Web Console by using two-step verification can reissue his or her own secret key.
  • You can enable the two-step verification for all users option for the Administration Server you are currently working with. If you enable this option on the Administration Server, you also enable this option for the user accounts of its virtual Administration Servers and do not enable two-step verification for the user accounts of the secondary Administration Servers.

If two-step verification is enabled for a user account on Kaspersky Security Center Administration Server version 13 or later, the user will not be able to log in to the Kaspersky Security Center 13.2 Web Console versions 12, 12.1 or 12.2.

See also:

Scenario: Configuring two-step verification for all users

Excluding accounts from two-step verification

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.