version 2.1.1, an additional authentication
mechanism called TOTP (Time-based One-Time Password) is added to provide enhanced security for the
users logging in. TOTP along with password must be provided for user authentication, making it a
2-factor authentication (2FA) or multi-factor authentication. Users with
admin_assist role can enable 2FA for any other user.
The 2FA enabled user receives an email notification containing the secret key and QR code to the email configured with LDAP. This secret key contains sensitive information and is only known to PowerVC and the respective user. The secret must not be shared with anyone else.
The user can choose to retain this email for future reference. To set up the TOTP generation, download any of the authenticator apps (like Google Authenticator, FreeOTP, IBM Verify etc) available on Google Play or App Store and scan the QR code received to set up the TOTP generation. Even though authenticator apps are being used to generate TOTP, internet connectivity on the device is not required. A new TOTP will get generated every 30 seconds.
- Email server configuration is mandatory for email notifications.
- To be able to use MFA, users must have a TOTP authenticator app set up on their mobile phone device.
- The TOTP device must be configured with a unique secret key for the device to be able to generate a TOTP. This secret key can either be generated by PowerVC.
- Admin or admin assistant user can still manually enter the secret key when they try to enable or reset MFA for themselves.
- When users with admin or admin_asst role enable or reset MFA for other users, the secret key will only be generated by PowerVC and mailed to the user.