With two-factor authentication, access to the profile of a formcycle user can be protected by a proof of identity via a so-called second factor. In this case, the administration interface cannot be accessed until the user has provided proof of identity via a second factor. In formcycle, the second factor can be the user's primary email address or a smartphone.

Either the entire system can be configured in such a way that each user must provide proof of identity via a second factor when logging in, or users can configure two-factor authentication in their profiles themselves.

Contents

Configuration in the system

In the General section of System Preferences, system administrators can configure the behavior of system-wide two-factor authentication.

Activate two-factor authentication for the entire system

Two-factor authentication can be enabled for the entire system. If activated, all formcycle users must additionally authenticate with a second factor when logging in (via email or via Authenticator app). Users who have already enabled two-factor authentication via Authenticator app will be prompted to prove their identity through the Authenticator app at login. All other users receive a one-time authentication code via email.

Remember two-factor authentication

Formcycle users have the possibility to save the two-factor authentication for the given period. The period of time how long two-factor authentication will be stored can be specified here. "0" means that formcycle users will not be able to save two-factor authentication and will have to provide proof of identity by a second factor after each login.

Request for proof of identity by email after user login. The authentication is to be stored for the next 30 days. This means that the user will only be prompted for proof of identity again in 30 days.

Restoring profile access in case of loss of the second factor

It can be configured whether formcycle users can restore access to their profile themselves in case of loss of the two-factor authentication device (Authenicator app). If this option is enabled, users can restore access to their profile themselves by switching two-factor authentication to email. All subsequent two-factor authentication prompts will send the user an email with a one-time authentication code. If this option is disabled, the type of two-factor authentication cannot be changed. In this case, if the two-factor authentication device is lost, a system administrator must be contacted who can disable the two-factor authentication device. See Two-factor authentication via Authenticator app.

Configuration in the user profiles

In the Security section, users can configure two-factor authentication of their profile.

Two-factor authentication deactivated

Disabled two-factor authentication in a user's profile.

If two-factor authentication is disabled in a user's profile, the user will not be asked for proof of identity when logging in unless system-wide two-factor authentication is enabled (see Configuration in the system).

If two-factor authentication was already activated (via email or via Authenticator app), then the deactivation must be confirmed. For this purpose, a confirmation link is sent to the user's primary email address to confirm the deactivation. Until the deactivation is confirmed, the configured two-factor authentication remains active. The confirmation link has a time-limited validity. Once the confirmation link has expired, it can no longer be used to deactivate two-factor authentication. A new confirmation link must be requested via the button . The validity period of the confirmation link can be configured via the application properties.

Two-factor authentication via email

If two-factor authentication by email is enabled, the user will be prompted for proof of identity by email the next time they log in.

Request for proof of identity via email after user login.

The one-time authentication code sent via email has a time-limited validity. After the authentication code expires, it can no longer be used for proof of identity. A new authentication code must be requested. The validity period of the authentication code can be configured via the application properties.

If the authentication code is entered incorrectly several times, the user's profile is locked for a certain time. The user has to wait for this time before he can try to authenticate again or a system administrator resets the login attempts. The number of possible attempts can be configured in the application properties.

Two-factor authentication via Authenticator app

Two-factor authentication via Authenticator app requires a smartphone with an Authenticator app and must first be set up before it can be used when logging in.

Setup

To set up two-factor authentication via the Authenticator app, formcycle users must activate two-factor authentication via the Authenticator app in their profile. They will then receive an email with a setup link, which they must follow. The setup link is valid for a limited time. After the setup link expires, it can no longer be used to set up two-factor authentication. A new setup link must be requested. The validity period of the setup link can be configured via the application properties.

Following the setup link takes users to the setup wizard for two-factor authentication via Authenticator app. A QR code and a code for manual setup in the selected Authenticator app appear. The QR code is to be scanned with the selected Authenticator app. A list of possible Autehnticator apps can be found here. After the QR code has been scanned or the displayed code has been entered manually in the Authenticator app. A periodically updating code will appear. By clicking Next in the setup wizard, an input field appears in which the periodically updating code is to be entered. If the code was entered correctly, the two-factor authentication setup is complete. The user will be prompted to enter the Authenticator app authentication code the next time they log in.

Only after the setup of the two-factor authentication via Authenticator app is completed, it is active and the user is prompted for proof of identity via Authenticator app at the next login.

Proof of identity

Prompt for proof of identity via Authenticator app after user login.

When two-factor authentication via Authenticator app is enabled, users are prompted to enter the authentication code displayed in the Authenticator app after logging in. After successfully entering the correct authentication code, the user is redirected to the management interface.

If the authentication code is entered incorrectly several times, the user's profile is locked for a certain time. The user has to wait for this time before he can try to authenticate again or a system administrator resets the login attempts. The number of possible attempts can be configured in the application properties.

Loss of the two-factor authentication device

If the two-factor authentication device has been lost or the link in the Authenticator app has been removed, the user can no longer log in to their formcycle profile. Provided the system allows this, the two-factor authentication can be reset via the Authenticator app. Clicking on the corresponding link (see figure) will set the two-factor authentication from the Authenticator app to email. This means that proof of identity must be provided by the authentication code sent via email. Thus, two-factor authentication is not disabled. If the system does not allow the user to reset the two-factor authentication, only a system administrator can reset the user's two-factor authentication.

The reset link can be used to request the reset of two-factor authentication via Authenticator app.

Next authentication prompt

Indication in the user's profile when the next two-factor authentication prompt will be presented.

If the user has saved the two-factor authentication or proof of identity, they will no longer be prompted to provide proof of identity via a second factor for the duration of the proof of identity storage. In My Profile, the user can see when they will next be prompted for two-factor authentication. Clicking the X button removes the stored authentication and the user will be prompted for proof of identity again at the next login.