Pro Tip: Allowing Users to Set-up 2-Factor Authentication

Created on 2021/08/09

With the explosion in brute-force attacks by cybercriminals, even implementing strong password-based authentication may not be enough to protect user accounts. Although Cells automatically detects brute-force by locking users after 10 failed login attempts in a row,  adding 2-Factor Authentication (2FA) via a device owned by the user is now an accepted security best practice.

Cells make it fast and easy for end users to add two-factor authentication to a specific account. With Cells Enterprise, users can use “one time password” provided by Google Authenticator (or compatible applications), or even better a Yubikey hardware device to unlock their account. Here’s how it works.

[Update] New in Cells V3 : new support for Duo Security multifactor authentication!

A - Enable Multi-Factor Authentication (Admin)

As an admin, go to the Cells Console > Authentication page and enable the “One Time Password” plugin.

OTP - 01 - ADMIN.png

From there, users will be able to choose their preferred 2FA method from their user menu account, and choose either of two methods.

OTP - 02 - USER MENU.png OTP - 02 - CHOOSE METHOD.png

B - Configure 2FA (Users)

1 - Google Authenticator OTP (and other compatible apps)

For users, first install the Google Authenticator application (or any TOTP-compatible application like FreeOTP) on your smartphone. This app will generate unique tokens for authentication. It doesn’t store or access anything on your Pydio Cells instance. 

To configure it, select the Google Authenticator option in Cells and scan the QR code provided with the app.

OTP - 04 - SCAN QR CODE.png

This will add an account to Authenticator and start generating tokens right away. To make sure it is working properly, you can enter the code and click on the TEST button. Once it’s validated, click on Save. 

At next login, after login/password authentication, you’ll be presented with a dialog box to enter the Authenticator token.

0TP - 05 - PROMPT.png

2 - Configure Yubikey 2FA

Yubikey is a hardware dongle that must be inserted via USB in the computer where you log in. You first need to register that key to the yubi.co service and get a proper API Key / Secret.

OTP - 06 - YUBIKEY REGISTER.png

Once you set up your Yubikey Client ID and Secret, use the test field to make sure it’s working. Insert the Yubikey, click in the text field and press the key to generate a unique string in the field automatically. If it’s ok, just save ! 

At next login, you will be prompted to with a text input field to perform the same “insert key and press” operation! Simple as that.

3 - Disable 2FA

Once you have setup 2FA, you can disable it by clicking on the “Multifactor Authentication” menu and selecting “RESET”. 

OTP - 07 - RESET.png

Coming Next

In our next release, Cells Enterprise will ship with a new integration with Duo Security service, that provides additional security 2FA methods: push notification to Duo application on mobile phone, SMS code validation, etc… Stay tuned!