Two Factor Authentication
Two-factor authentication in Leon
Table of Contents
What is MFA/2FA?
Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) are security mechanisms that require users to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN. The core idea behind MFA/2FA is to create a layered defence, making it significantly harder for unauthorised individuals to access accounts even if they manage to compromise one factor (e.g., a password).
Definition of Factors
Authentication factors typically fall into three categories:
Something you know: This includes passwords, PINs, or security questions.
Something you have: This refers to physical tokens, such as a smartphone (for SMS codes or authenticator apps), a hardware security key, or a smart card.
Something you are: This involves biometrics such as fingerprints, facial recognition, or iris scans.
The Idea Behind MFA/2FA
The fundamental principle is to combine at least two different types of these factors. For example, a common 2FA setup involves a password (something you know) and a code sent to your phone (something you have). If a hacker steals your password, they still won’t be able to log in without also having access to your phone. This significantly reduces the risk of unauthorised access due to stolen or weak passwords, phishing attacks, or credential stuffing.
2FA implementation in Leon
In Leon, Two-Factor Authentication (2FA) is implemented using an authenticator app on a smartphone as the second factor, falling under the “something you have” category. This means that in addition to a password, users will need to provide a time-sensitive code generated by their authenticator app on their mobile device to log in successfully. This approach significantly enhances security by ensuring that even if a user’s password is compromised, access to their physical smartphone is still required to gain entry to their Leon account.
How does 2FA work in Leon?
The 2FA implementation in Leon, shown from the user’s point of view, is described here.
Features available
2FA can be forced for all users. This applies only to users using a login and a password. If Single Sign-On (SSO) is used, MFA should be enabled in Google Workspace or Microsoft settings.
Trusted IP list. This feature allows administrators to define a list of trusted IP addresses. When a user connects to Leon from one of these pre-approved addresses, 2FA will not be required.
2FA validity time. After successfully logging in with 2FA, subsequent logins from the same device within the defined validity period can be made without requiring 2FA again.
Recommended 2FA Mandate Rollout Strategy
Introducing mandatory 2FA for all users requires careful planning and communication to ensure a smooth transition and minimise disruption. This guideline outlines a recommended approach for the System Admins to implement this security enhancement effectively.
1. Pre-Rollout Communication and Preparation
Objective: Inform users about the upcoming change, its benefits, and the necessary steps to take.
Initial Announcement (2-4 weeks prior):
Send an email to all users explaining the move to mandatory 2FA, emphasising the enhanced security benefits (e.g., protection against phishing, stolen credentials).
Clearly state the “go-live” date for mandatory 2FA.
Provide a link to a comprehensive guide (e.g., this article) on how users can set up 2FA in Leon using an authenticator app.
Recommend that users install a suitable authenticator app (e.g., Google Authenticator, Microsoft Authenticator, Authy, etc.) on their smartphone.
Administrator Training:
Ensure all Leon administrators within your organisation are familiar with 2FA setup, including the “Trusted IP” list and ”Second factor validity time” features within Leon.
Pilot Program (Optional but Recommended):
Consider implementing a pilot program with a small group of internal users or a specific department to test the effectiveness of the solution. This allows for the identification and resolution of any unforeseen issues before a full rollout, enabling fine-tuning of communication and support processes.
2. Implementation Phase
Objective: Enable mandatory 2FA and provide robust support during the transition.
Enable Mandatory 2FA in Leon (Go-Live Date):
On the designated go-live date, activate the “Force two-factor authentication for all users” setting in Leon’s administration panel.
Actions to be taken by the users after the 2FA is forced:
Users who did not have 2FA enabled prior to the mandatory rollout will receive an email containing a new, reset password and a link to a QR code.
This QR code link is essential for pairing their Leon accounts with a mobile authenticator app.
The provided link will be valid for 48 hours from the time of receipt.
If the QR code link expires before activation, users can generate a new one by utilising the “Forgot your password? Click here” option on the Leon login page, which will send an updated link to their email.
This is the same procedure as described in the article.
3. Post-Rollout Management
Objective: Maintain security and address ongoing user needs effectively.
Leverage Trusted IP List:
For users accessing Leon from known, secure corporate networks, utilise the “Trusted IP list” feature within Leon to exempt them from repeated 2FA prompts, thereby enhancing convenience without compromising security.
Set 2FA Validity Time:
Adjust the “2FA validity time” as appropriate for your organisation’s security posture and user experience needs. This setting determines how long a user’s device remains “trusted” after a successful 2FA login before requiring re-authentication.
Regular Review and Education:
Periodically review your 2FA configuration and gather user feedback to ensure its effectiveness.
Provide ongoing education and reminders to users about the importance of 2FA and best security practices to maintain a high level of awareness.
By following this structured approach, your organisation can effectively implement mandatory 2FA in Leon, significantly enhancing the security of your accounts and data while ensuring a positive user experience.