This article helps you to add two factor authetication
1. User profile
User should navigate to profile, or use direct link to setup page at https://service.giosg.com/identity/setup-2fa.
2. Setup page
User should give descriptive name for the device, for example "Work phone" and then click "Enable 2FA".
3. Confirm device page
On the confirmation page user should click "Plus" in the authenticator app and scan the provided QR code to easily setup 2FA for the device. After this the "Time-based one-time password" (TOTP) token will be visible on their device.
Account name be will be in form "Giosg: user@email.com".
When the authenticator app has been setup, user needs to confirm the device in Giosg by giving the correct token. Device will not become active before this has been completed.
User will be also asked to copy the backup codes and store them in safe place. These codes can be used to login and disable 2FA if the device gets lost. Each backup code can be used only once.
4. Success
After user has given correct two factor authentication token, the device gets confirmed and success page is shown.
From this point on, user needs to provide correct token each time they log into Giosg platform. Token is also needed when disabling the two factor authentication.
Login flow with two factor authentication enabled
1. Login page
When user has two factor authentication enabled, login page looks normal until user has given their correct email and password to login
2. Two factor authentication
After user has provided correct credentials, they are asked to provide correct two factor authentication token. This can be either the time based code from their authenticator app or one of the backup codes. Each backup code can be used only once.
3. Success or failure
If user did input correct two factor authentication token they will be logged in normally. If the token was incorrect they wont get logged in even though the email and password would be correct and error is shown.
Disabling 2FA or changing device
1. Go to setup page or directly to disabling page https://service.giosg.com/identity/disable-2fa
To disable two factor authentication users can go to setup page from profile or directly to the disabling view. If users go to setup view after two factor authentication has been setup, they are told that only one device is supported. From this page they can click a link to get to disabling process.
2. Disabling view
Users are shown warning that this will weaken their account security. If they want to proceed they need to input correct token from authenticator app or use one of the backup codes.
If the token is correct, all 2FA devices will be removed from their account and they don't need to input two factor authentication token anymore when logging in.
Users need to follow this process also if they want to change the device.
3. Disabling completed
When the configured two factor authentication device has been removed, user will be redirected back to start of the process. They can now add new device if they wish or keep their account without two factor authentication.