How do I set up Two-Factor authentication? (SaaS)
1. Sign-up for a Duo Account https://www.duosecurity.com/pricing
2. Create and configure a Duo application to be used with the Resilient application.
During this stage you receive an Integration Key, Secret Key, and API hostname. You need these items to configure two-factor authentication on the Resilient application.
When prompted for the application type, select Web SDK.
3. If you are a SAAS customer, contact email@example.com to complete your setup.
Afterwards, proceed to Enable your authentication domain.
Enable your authentication domain
While logged in as a master administrator, you can enable a two-factor authentication domain under organizational settings on the administrator's settings page. If you have set up multiple two-factor authentication domains, you can select which domain you would like to authenticate your users against here. On this page you can also set the cookie lifetime, which sets an expiration in days for when a user needs to re-authenticate via two-factor authentication.
NOTE: Authentication domains are set at the organizational level. You can use the same authentication domain for multiple organizations or set a different domain for each organization. This means that a user who authenticates against an organization under one domain, who then tries to access an organization under another domain, needs to separately authenticate for the other organization.
Registering users to use two-factor authentication
Once two-factor authentication has been configured, users need an account on the Resilient application and a corresponding account in your Duo Security account.
Management of user registration with Duo security is handled in the Policy settings of your Duo Security application. The "New user policy" allows you to select:
- Require Enrollment - users who are not already registered with Duo security are provided a self-enrollment process that makes it easy for users to register their devices and install the Duo mobile app (if necessary). When a user logs into Resilient for the first time after two-factor authentication is enabled, Duo Security begins this self enrollment process.
- Allow Access - users who are not already registered with Duo security are not challenged. We recommend AGAINST using this option.
- Deny Access - only users who are already configured with the Duo account are allowed access. This means that you need to configure your users using your Duo account in the "Users" tab.
The email address of the Resilient application must match the Duo account username. In the
Duo application settings, "Username normalization" allows you to specify whether or not "DOMAIN\username", "firstname.lastname@example.org" and "username" are all treated as the same user.
Two-factor Authentication and User experience
When two-factor authentication is enabled, if a user has not been "previously authenticated" via two-factor authentication, they are presented with a two-factor challenge whenever they try to access an organization.
A user is considered as being "previously authenticated" under the following circumstances:
- They have successfully passed the challenge presented via two-factor authentication in their current session.
They have successfully passed the challenge presented via two-factor authentication in a session then started a new session within the number of days set by the cookie lifetime value. In this situation, the user authenticates as normal (email and password) when starting the new session, but is not presented with the challenge. The master administrator sets the cookie lifetime value in the administrator settings organization page.
19 April 2021