IBM Support

QRadar EDR: the issue that you cannot log in using the code for 2-factor authentication (2FA)

Troubleshooting


Problem

The users who previously enabled the one-time passcode (TOTP) may face login issues.

Symptom

The users cannot log in to the dashboard (management console) with a message such as "Invalid Code" even though they use a one-time passcode.
image-20240514152058-1

Environment

  • QRadar EDR manage users

Resolving The Problem

An administrator with "Super Administrator" privileges need to disable 2FA or reset the one-time passcode.
Important: If 2FA is enabled for the entire user base, please do one of the following instead of disabling 2FA for the entire user base to avoid security implications.
1: Case in which the one-time passcode is not used thereafter (disable 2FA)
  1. An administrator with Super Administrator privileges go to the Administrator => Manage Users page on the dashboard, select the affected manage user, and click "View User".
    image-20240514163310-1
    image-20240514163652-2
  2. After clicking the Edit button for 2FA in Profile, slide "Require for this user" toggle to the left and click "Remove user's two-factor" to disable 2FA for the affected manage users.
    image-20240514163856-3
    image-20240514164310-4
  3. The affected manage users will then be able to log in without requiring two-factor authentication.
​​​​​​
2: Case in which the one-time passcode use (reset) thereafter
  1. An administrator with Super Administrator privileges go to the Administrator => Manage Users page on the dashboard, select the affected manage user, and click "View User".
    image-20240514163310-1
    image-20240514163652-2
  2. After clicking the Edit button for 2FA in Profile, click "Remove user's two-factor" to reset 2FA for the target manage users.
    image-20240514163856-3image-20240515091944-1
  3. The affected manage users will see the QR code required to register for the two-factor authentication tool again when logging in.image-20240514165457-1
  4. The user can use the two-factor authentication tool to read the QR code and then re-enter the newly registered one-time passcode to log in. The old one-time passcode should then be deleted.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSOO77","label":"IBM Security QRadar EDR"},"ARM Category":[{"code":"a8m3p000000PCPsAAO","label":"Support"},{"code":"a8m3p0000000rbnAAA","label":"Support-\u003EAdministration Task"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
17 May 2024

UID

ibm17151397

Page Feedback