How can I use a two-factor authentication (2FA) scheme on my station?
Setting up Google authentication
The Google Authentication Scheme is a two-factor authentication mechanism that requires the user to enter their password as well as a single-use token when logging in to a station. This protects a user’s account even if their password is compromised. This authentication scheme relies on TOTP (Time-based One Time Password) and the Google Authenticator app on the user’s mobile device to generate and verify single-use authentication tokens. Google authentication is time-based, so there is no dependency on network communication between the user’s mobile device, the station, or external servers. Since the authenticator is time-based, the time in the station and time in the phone must stay relatively in sync. The app provides a buffer of plus or minus 1.5 minutes to account for clock skew.
It is recommended to synchronize the station time configuring the NTP service. Windows and Linux hosts will have automatic time sync services available at OS level.
Prerequisites: The user’s mobile phone requires the Google Authenticator app. You are working in Workbench. The user exists in the station database.
Perform the following steps:
1. Open the gauth palette and add the GoogleAuthenticationScheme to the Services > AuthenticationService node in the Nav tree.
2. Double-click UserService, and double-click the user in the table.
The Edit view for the user opens.
3. Configure the Authentication Scheme Name property to GoogleAuthenticationScheme and click Save.
4. The System will confirm that you have changed the Authentification scheme.
5. Accessing the User settings one again you can see that it appeared a new option "Secret Key".
6. Click the button "Generate Key" from Secret Key under the user’s authenticator and follow the prompts.
7. Scan the Barcode using the Google Authenticator app on your phone.
8. Enter the code that the mobile app had generated to bind the mobile app with the user.
9. When you see the "Regenerate Key" button that means that everything is set up, to complete the configuration, click Save.
10. The login page for that user will appear as below and it is available for Workbench and for Web view. The Token is the code available on the mobile app and it is changing every 30 seconds.
