ScreenCloud Dashboards: Configuring Two-Factor Authentication

Avatar
by Santino
Follow

This article will review how to configure two-factor authentication while using the ScreenCloud Dashboard feature. Please note, this is a resource related to the ScreenCloud Dashboard setup guide for additional setup and login options to display your secure or private dashboards on your digital screens. 

If you also do not have ScreenCloud Dashboards activated and would like to learn more, please click here to fill out the ScreenCloud Dashboard request form.  

ScreenCloud_Dashboards_Guide_-_Main_Image_2.19.2021.png

 

Table of contents:

1. What is 2FA/MFA?

2. How do I configure MFA on a dashboard?

3. Secret Keys

4. Configuring a Google / G-Suite Account

5. Configuring an Outlook / Office365 Account

 

1. What is 2FA/MFA?

You may see the terms 2FA (2nd-factor authentication) or MFA (Multi-factor authentication) used whenever you are logging onto systems or in your account settings. These terms basically describe an additional layer of security associated with your account. You likely see these mechanisms being used every day. If you receive a text message to your phone or an e-mail to your inbox containing a code, that's MFA in action.

 

1.1. Why is it important?

Securing your accounts is becoming increasingly more important as cybercriminals are constantly evolving and finding more ways of breaking into accounts and stealing data. Adding these additional layers of security and not relying solely on a username and password is incredibly effective in keeping your account and your data safe.

 

1.2. Does Dashboards support MFA?

Yes, Dashboards currently supports using a Token Authenticator as a 2nd-factor authentication means. We do not support SMS, e-mail, or other means at this time.

 

1.3 Is there anything I'll need?

Yes, there are a number of important things you'll need in advance before setting up a Dashboard with an MFA-enabled account.

 

i) Authenticator App

The first thing you'll need is an Authenticator App. These apps are used to generate One-Time Passcodes which you'll enter during authentication flows. Authenticator apps are generally installed onto your mobile device, there are a number of free options available from the Google Play Store and the Apple's App Store. We recommend either Google Authenticator or Microsoft Authenticator, but there are others available.

 

ii) A Service Account

OPTIONAL: Setting up dashboards under your own account is fine, however, we highly recommend that you create a least privileged service account. What does least privileged mean? It means an account allocated with the minimum permissions possible to access the data you wish to display.

Accounts should be configured in such a way that Token Authentication is the only option available as a 2nd factor of authentication. This is important because some authentication providers mix and match between all configured options, which as mentioned previously, Dashboards only support Token Authentication.

 

We'll not be able to cover how to configure accounts for all identity providers, but here are a couple of articles for major providers.

Google Account

Microsoft Account

 

iii) Secret Key

If you need further support on how to use or manage a secret key, please click here an instructional guide from Google on how to use secret keys. Secret keys are often confused with the 6 digit One-Time Passcodes generated in your Authenticator app, they are linked but are two entirely different functions.

 

2. How do I configure MFA on a Dashboard?

2.1. After you have completed a One-Time Passcode field during an authentication flow you'll notice that the new action created in the Recorder prompts it requires a secret key to be entered. Also, if the ScreenCloud extension detects the One-Time Passcode then you'll also see a notification pop up in your journey window.

 

 

2.2. In the image below, Action 7 highlights that it needs additional information before it is fully configured. Clicking on the actions cog icon will open its configuration window.

 

 

2.3. Firstly, you'll need to input a credential name, this can be anything but ideally should be something that will allow you to identify the credential. Secondly, you'll need to input the secret key you recorded from the previous section. Once done, click the Save button.

That's it, once you save you'll see that the warning message has disappeared.

 


 

3. Secret Keys

3.1. You may find yourself wondering where those 6 digit numbers your phone generates for you to log onto applications come from. On the surface the answer is simple, those numbers are the product of a mathematical algorithm running over a seeded value. The seeded value is your secret key - please note, additional information regarding the algorithm that generates these values are available through the authenticator providers directly, such as Google

Screen_Shot_2021-02-24_at_2.28.25_PM.png

 

3.2. You could be thinking "I have set up numerous accounts on my authenticator app and have never seen a secret key!". The likely reason for this is because the vast majority of user flows you will come across when setting up an authenticator, display what is known as a QR code. It's very convenient to scan with your phone's camera without giving it a second thought about what is going on behind the scenes.

 

3.3. The QR code you are scanning can contain a number of pieces of information, however, we are only interested in 2 of them; the account name and a secret key. It is usually recommended that you take a copy of your QR code or the secret key to prevent being permanently locked out of your accounts in the event your device is lost, stolen, or damaged.

 

3.4. Accompanying these QR codes there is generally a link that says something along the lines of "Can't scan QR code" or "Enter code manually". If you click on the link it will instead display your secret key. You will need this value for setting up Dashboards that use accounts that are dependent on authenticator codes to be able to log in.

Screen_Shot_2021-02-24_at_2.27.44_PM.png

Some account providers will re-generate this QR code whenever you switch between QR, manual entry, and vice versa. Therefore it is important that you enter the code manually into your authenticator app and make sure to take a copy of it and keep it in a safe place for future reference.

 


 

4. Configuring a Google / G-Suite Account

If you would like to use 'Login with Google' when logging into your dashboards, then the accounts security settings must be set up in a particular way.

 

What you'll need:

  • A Google or G-Suite account (we highly recommend using a service account)
  • Your authenticator secret key (don't have it, don't worry, we can create a new one)
  • An app to produce One-time passcodes (Google Authenticator, Microsoft Authenticator, Authy)

 

4.1 Setting up an authenticator

Your Google account needs to be set up to use an authenticator as a means of second-factor authentication. This means entering what is known as a 'One-time Passcode' when you are logging into your account.

Find which of the following 3 flows suits your situation and use them as a guide to set up your account.

 

4.1.1. My account is already set up to use an authenticator and I have my secret key.

Fantastic, you're all set. Head to section 4.2.

 

4.1.2. My account is already set up to use an authenticator, but I do not have my secret key.

The secret key is non-recoverable after an authenticator has been set up. So the first step is to remove your authenticator from your account.

 

Navigate to your accounts 'Security' settings and scroll to the 'Signing in to Google' section. Click on the 2-Step Verification panel. You may be asked to re-enter your password at this point.

 

 

Click on the delete icon next to your authenticator app. Continue onto section 4.1.3.

 

4.1.3. My account has not yet been set up to use an authenticator

4.1.3.1. Set up a recovery phone

In order to enable 2-Step Verification on your account, you must first have an associated recovery phone. If you already have a recovery phone set up, skip to section 1.3.2.

 

Navigate to https://google.com and log into your account. Once done, click on your badge on the top right and click 'Manage your Google Account'

 

Click on the 'Security' menu located on the left-hand menu, then scroll down to the 'Ways that we can verify it's you' section.

 

Within the 'Recovery Phone' section, click on the 'Add a mobile phone number' link. You will likely be asked to re-enter your password at this point. Once done, click the 'Add Recovery Phone' link.

 

Add your phone number when prompted and click the 'Next' button. Google will then send you a verification code which you must provide in order to finalize the association. Continue to section 4.1.3.2.

 

4.1.3.2. Set up authenticator and record secret key

 

Navigate back to the 'Security' menu and scroll down to the "Signing into Google section". Click on the 2-Step Verification panel.

 

Click 'Get Started' on the introduction page

 

Click 'Continue' through the 'Use your phone as your second step to sign in' page

 

Choose whether you'd like to configure a backup number or whether you'd prefer to take a copy of the backup codes (by clicking on 'Use another backup option'). Either click 'Send' or 'Next' depending on which option you choose.

 

If you choose to receive by phone, then input the code you receive as an SMS into the textbox provided and click the 'Next' button.

 

Click on the 'Turn On' button. Then on the 2-Step Verification screen scroll down to find the 'Authenticator app' option and click 'Set up'

 

Select whether you are using an Android or iPhone device and click 'Next'

 

Please note, before scanning the QR code, click on the 'Can't Scan It?' link.

 

Take a copy of the secret key provided, keep it safe, this is what you'll need to provide when setting up your dashboards using Google Auth flows. It is actually a good practice to keep a copy of all your authenticator codes, just in case something happens to your phone, and store the information safely. 

 

Open your authenticator app, and click Add using a setup key - please note, do not click back as this will generate a new key.

 

If you are using Google Authenticator, open the app and click on the ‘+’ icon on the bottom right, selecting the ‘Enter a setup key’ option. Once here enter an account name (usually your email address or the name of the application) and then your Secret Key. It is also important to ensure that the ‘type of key’ is ‘Time based’.

 

If you are using Microsoft Authenticator, open the app and click on the ellipsis (3 dots) on the top right and select the ‘Add Account’ option. When asked what kind of account you are adding, select the ‘Other account’. Your camera will popup now, select ‘OR ENTER CODE MANUALLY’ at the bottom. Once here enter an account name (usually your e-mail address or the name of the application), then your Secret Key and click on the ‘Finish. Button.

 

Once done, click ‘Next’.

 

Your authenticator app should now be producing 6 digit codes for your Google account. Input the latest code into this field and click 'Verify'.

 

You should then see a 'Finished' screen. Click 'Done' and move onto section 4.2.

 

4.2. Remove recovery email and phone

If your account is configured with additional modes of verification then this could add unpredictable changes to your dashboard journey meaning that we cannot guarantee that we will be able to display it.

 

Navigate to your accounts 'Security' options and scroll down to the 'Ways that we can verify that it's you' section. Once there, click on the 'Recovery phone' panel. You may be asked to re-enter your password at this point.

 

Click on the delete icon next to your recovery phone number and then click 'Remove Number' in the confirmation modal.

 

Repeat these steps for 'Recovery email', the continue to section 4.3

 

4.3. Sign out of mobile devices

In order to prevent your phone from prompting you every single time your dashboard is rendered, you'll need to sign out of your device.

 

Navigate to 'Manage your Google Account' and click the option 'Security' on the left-hand menu. Once done, scroll to the 'Your devices' section and click on the 'Manage devices' link.

 

For any mobile device on the 'Your devices' page, click on the ellipses on the top-right of the card and then click on the 'Sign out' option, and confirm by clicking 'Sign out' on the prompt.

 


 

5. Configuring an Outlook / Office365 Account

If you would like to use 'Login with Microsoft' when logging into your dashboards, then the accounts security settings must be set up in a particular way.

What you'll need:

  • An Outlook or Office 365 account (we highly recommend using a service account)
  • Your authenticator secret key (don't have it, don't worry, we can create a new one)
  • An app to produce One-time passcodes (Google Authenticator, Microsoft Authenticator, Authy)

5.1. Setting up an authenticator

Your Microsoft account needs to be set up to use an authenticator as a means of second-factor authentication. This means entering what is known as a 'One-time Passcode' when you are logging into your account.

The following guide will run you through the process of setting up your account to work with ScreenCloud Dashboards.

 

5.1.1. My account is already set up to use an authenticator and I have my secret key.

Fantastic, you're all set. Head to section 5.2.

 

5.1.2. My account is already set up to use an authenticator, but I do not have my secret key.

OK, the secret key is non-recoverable after an Authenticator has been set up. So the first step is to remove your authenticator from your account.

 

Navigate to your 'Microsoft Account' and click on the 'Security' card.

 

On the 'Security' page, click on the 'Advanced security options' card.

 

Under the 'Advanced security' section, click 'Turn off' on the Two-step verification tile and click the 'Yes' button in the subsequent prompt. At this point, you may be prompted to re-enter your password.

 

Then under the 'Ways to prove who you are' section, expand the 'Enter a code from an authenticator app' row, click on the 'Remove' button and click on 'Yes' when prompted.

 

Continue onto section 5.1.3.

 

5.1.3. My account has not yet been set up to use an authenticator

Navigate to your 'Microsoft Account' and click on the 'Security' card.

 

On the 'Security' page, click on the 'Advanced security options' card.

 

Under the 'Advanced security' section, click 'Turn on' within the Two-step verification tile and click 'Next' on the 'Set up two-step verification' page.

 

Ensure that 'An app' is selected in the 'Verify my identity with:' dropdown menu and then click on the 'set up a different Authenticator app.' link.

 

At this point you will see a QR code, please do not scan it using your phone, instead, click on the 'I can't scan the barcode' link.

Here is where you will find your secret key, this is the value that we'll need when setting up your dashboards, please take a copy of it and store it in a safe place. Now you will need to set up your Authenticator App by manually entering your Secret Key.

 

i) Google Authenticator

If you are using Google Authenticator, open the app and click on the ‘+’ icon on the bottom right, selecting the ‘Enter a setup key’ option. Once here enter an account name (usually your email address or the name of the application) and then your Secret Key. It is also important to ensure that type of key’ is ‘Time based’.

 

ii) Microsoft Authenticator

If you are using Microsoft Authenticator, open the app and click on the ellipsis (3 dots) on the top right and select the ‘Add Account’ option. When asked what kind of account you are adding, select the ‘Other account’. Your camera will popup now, select ‘OR ENTER CODE MANUALLY’ at the bottom. Once here enter an account name (usually your e-mail address or the name of the application), then your Secret Key and click on the ‘Finish. button.

 

After this has been done, enter the 6 digit code generated on your app into the field at the bottom and click 'Next'.

 

Click 'Next' through the 'Setting up your smartphone with an app password' page and 'Finish' through the 'Some other apps and devices need an app password too' page.

 

5.2. Remove other 2nd Factor mechanisms

If your account is configured with additional modes of verification then this could add unpredictable changes to your dashboard journey meaning that we cannot guarantee that we will be able to display it.

 

Navigate to your accounts 'Advanced security' menu and confirm that the only options under the 'Ways to prove who you are' section are:

  • Enter password
  • Enter a code from an authenticator app

 

If there are other options such as E-mail or SMS, then please expand these options and click on 'Remove'.

 

If you have any additional questions or feedback on using the ScreenCloud Dashboards feature with ScreenCloud, please feel free to reach out to our support team at support@screencloud.com or give us a call at our toll-free support line at +18885575335.

 

Comments

0 comments
Please sign in to leave a comment.