Two-Factor Authentication

Two-Factor Authentication

To use this feature, the following requirements must be met:

  • Secure Connection (HTTPS): The system must be set up to use HTTPS and an SSL certificate from a trusted certificate authority (CA)

  • Identiv uTrust FIDO2 NFC+ keys (USB-C and USB-A): A security key will be required. These keys are available for purchase on multiple e-commerce websites or through our sales team.

Features and Settings added to support this change:

  • Enforce Two-Factor Authentication: Administrators can turn on Two-factor authentication using the application's Enforce Two-factor Authentication (Identiv uTrust FIDO2) setting. Once enabled, the operator will be prompted to configure their security key at their next login.

  • Two-factor Authentication "Active" or "Bypass" Status: This setting can bypass Two-factor authentication for an operator. It is visible to operators but can only be changed by the Administrator.

    • “Active” State: This option is selected by default. When enabled, the operator must use their security key to log in.

    • “Bypass” State: When set to "Bypass," the operator won't be required to use a security key to log into the application when Two-Factor Authentication is enforced system-wide. In this state, the operator can log in with only their user name and password.

  • Security Key Management by Operators: When Two-factor authentication is enabled, operators can view and manage their security keys from Device Control > Operator under the tab "Two-factor”.

  • Security Key Management by Administrators: Administrators can manage security keys for an operator. Additionally, 3.8.6 introduced a new role specifically for managing Two-factor authentication settings, which can be assigned to other users to help with this task. This role can be found under: "Web Client Multi-Factor > Two-factor Administrator." Users granted this role will be able to:

    • View the list of available operators

    • Adjust the Two-Factor Authentication status for an operator, switching between "Active" and "Bypass" when necessary

    • Add, edit, and delete security keys for operators

Operator Management

Administrators can now manage operator accounts using the Velocity Web client. This can be found under Device Control > Velocity Configuration folder > Operators. Operators can Add/Edit/Delete Operators and manage their restrictions, roles, 2FA requirements, etc.

The account used for Velocity Services will need to have the following permissions:

  • Local Machine:

    • Read permissions for searching user accounts

    • Read permissions for getting user properties (specifically password settings)

    • Write permissions to create a new user

    • Read permissions to read user account information

    • Write permissions to remove user membership from the local group

  • Active Directory:

    • Read permissions for searching user accounts

    • Read permissions for getting user properties (specifically password settings)

    • Write permissions to create a new user

    • Read permissions to read user account information

    • Write permissions to remove user membership from an AD group

Installer Enhancements

The following updates have been implemented in the installer to provide an enhanced user experience:

  • Grouped Settings: The application, website, and service settings are now grouped in their respective sections. This restructuring provides a more streamlined installation workflow.

  • SSL Certificate Configuration: The installer can now manage existing SSL certificates directly using HTTPS communication mode. This feature is accessible in the new IIS configuration section.

  • Deprecated Feature: The HTTP communication mode has been deprecated and will be removed in the next version. Switching to HTTPS is highly recommended as the preferred communication mode. For more information, please refer to the "Deprecated Features" section.