Configuring Multi-factor Authentication

Edit online

ACC supports Two-Factor Authentication (2FA) to enhance login security. When 2FA is enabled, in addition to username and password, users must provide a second form of authentication to obtain an API token.

ACC admins can enable or disable 2FA, thereby controlling whether appliance owners must use 2FA to generate their ACC tokens.

ACC uses Time-Based One-Time Passwords (TOTP) defined in RFC 6238. TOTP generates a temporary code based on the current time and a secret key. Each code is valid for 30 seconds.

When a user updates their password and 2FA is enabled, ACC generates a secret key and provides it to the user. The user must add this key to a TOTP generator, which can be an authenticator app on the user's mobile phone. The TOTP generator then generates a new TOTP every 30 seconds.

After 2FA is enabled:

ACC admin receives a temporary secret key to update admin's password using the TOTP generated by the temporary secret key. Once updated, the password update API returns a new secret key for use in the authenticator app.
ACC admin can also call a REST API to generate temporary secret keys for appliance owners. These keys are shared with the respective owners, who then use them to update their passwords and configure their own TOTP generators.

Using two factor authentication

The topics covered in this section are: