4.12.10 How to set-up 2FA Authentication

This section helps admin to set-up two factor authentication flow for the end users.

Two-Factor Authentication (2FA), in ZTrust, is a security process that requires users to provide two different forms of identification to access an account or system, such as a password and a push notification from the ZTrust Authenticator mobile application.

Use Case

  • Admin able to configure the 2FA authentication flow.

  • Users should be able to login by using the configured 2FA flow.

  • ZTrust supports the following as first factor authentication:

    • Username Password

    • Push Notification

    • QR Code

    • Email OTP

  • ZTrust supports the following as second factor authentication:

    • Push Notification

    • QR Code

    • NFC

    • Email OTP

    • TOTP

    • Biometric

Prerequisites

  • User needs to be present in realm where 2FA is to be configured

  • For Push Notification, NFC and QR

    • Admin needs to configure RabbitMQ in the Realm settings.

    • Users need to

      • Install ZTrust Authenticator app in their mobile device.

      • Set their mobile device as a primary device.

  • For TOTP

    • Users need to install ZTrust Authenticator app in their mobile device.

  • For Email OTP

    • Email ID needs to be configured in the user details.

  • For Biometric

    • Users first need to register their biometric details with ZTrust.

Configuration

  1. Click on Authentication in the sidebar.

    Fig. 4.12.10.a: Navingating to Authentication section

  2. Click on the kebab menu (three dots) on the right side of the browser flow. Select Duplicate. A popup will appear.

    Fig 4.12.10.b: Duplicating the existing browser flow

  3. Provide a Name for the flow, "2FA Flow". Click Duplicate. You will be redirected to the new flow configuration.

    Fig 4.12.10.c: Giving a name to the new browser flow for 2FA login

    Fig 4.12.10.d: Duplicated browser flow configuration page for 2FA login

  4. Delete everything under 2FA Flow forms.

    Fig 4.12.10.e: 2FA after browser flow configuration page before deleting executions

  5. Click on the plus icon on the right side of the 2FA Flow forms. Select Add Sub-flow. A popup will appear.

    Fig 4.12.10.f: Proceeding to add a new sub-flow to 2FA login flow

  6. Provide a Name for the sub-flow, "Username Password flow". Click Add.

    Fig 4.12.10.g: Giving a name to the sub-flow for first-factor authentication

  7. Click on the plus icon on the right side of the Username Password flow. Select Add Execution. A popup will appear to select an execution.

    Fig 4.12.10.h: Proceeding to add a new execution to 2FA login flow

  8. Search for Username Password Form, select it and click Add.

    Fig 4.12.8.i: Select 'Username Password Form' execution to add

  9. Click on the plus icon on the right side of the 2FA Flow forms. Select Add Sub-flow. A popup will appear.

    Fig 4.12.10.j: Giving a name to the sub-flow for second-factor authentication

  10. Provide a Name for the sub-flow, "Push Notification Flow". Click Add.

    Fig 4.12.10.k: Giving a name to the sub-flow for second-factor authentication

  11. Click on the plus icon on the right side of the Push Notification flow. Select Add Execution. A popup will appear to select an execution.

    Fig 4.12.10.l: Proceeding to add a new execution to 2FA login flow

  12. Search for Push Notification Authenticator, select it and click Add.

    Fig 4.12.8.i: Select 'Push Notification Authenticator' execution to add

  13. Click on the settings menu (gear icon) on the right side of the Push Notification Authenticator. A popup will appear to configure the push notification settings.

    Fig 4.12.10.j: Proceeding to configure 2FA login

  14. Provide an Alias. Set Expires in (in seconds) and click Save.

    Fig 4.12.10.k: Configuring 2FA login

  15. Change Requirement of the Push Notification Authenticator from Disabled to Required.

    Fig 4.12.10.l: Changing the 'Requirement' of second-factor in 2FA login

  16. Change Requirement of the Push Notification flow from Disabled to Required.

    Fig 4.12.10.m: Changing the 'Requirement' of second-factor sub-flow in 2FA login

  17. Change Requirement of the Username Password flow from Disabled to Required.

    Fig 4.12.10.n: Changing the 'Requirement' of first-factor sub-flow in 2FA login

  18. Click on the Actions, on the top right of the page, and then Bind flow. A popup will appear.

    Fig 4.12.10.o: Proceeding to bind the 2FA login flow

  19. Select the Browser flow as the binding type and click Save.

    Fig 4.12.10.p: Selecting a flow to bind 2FA login to

Two-factor authentication with Username, password and Push Notification is now enabled.

Previous4.12.9 Setup of Biometric based AuthenticationNext4.13 ZTrust Authenticator

Last updated