Two-factor authentication

Two-factor authentication (2FA) provides an additional layer of defense against unauthorized users from accessing the Control Room. As an administrator, you can set up 2FA so that the users can validate their identity when logging in to the Control Room using both their user credentials and a second authentication factor.

How 2FA works

2FA is an additional authentication mechanism added to your login process. 2FA is disabled by default. The Control Room administrator configures the 2FA for either all users or users with specific roles. Once 2FA is enabled, it is applicable to all Control Room users that it is intended for.

When you are assigned a role that requires 2FA, you must set up an authenticator application on your mobile or other device and establish a connection between the authenticator application and the Control Room. On subsequent logins, you will be prompted to enter, along with the username and password, a time-based one-time password (TOTP) from the authenticator application to complete the Control Room login.

Note: 2FA is not supported for Control Room setup using Active Directory (AD) or SSO. 2FA is supported only when the Control Room is the authentication provider.

Components

Three main components are used in 2FA.
  • Authenticator application: Installed on your mobile device, this application generates TOTP for verifying your identity. Any authenticator application that supports the TOTP protocol, such as DUO or Google Authenticator is supported.
  • Registered device: This is the mobile or other device that you register with the Control Room during first login after 2FA is set up. The TOTP is generated through this registered device, which is required any time you log in to the Control Room. If your registered device is lost or unavailable, you must request the Control Room administrator to delete the device, and you can add another device later. Therefore, we recommend you to set up more than one device and register them with the Control Room.
  • Time-based one-time password: This is a temporary password generated by an algorithm that uses the current time of the day as an authentication factor.

2FA components

Set up 2FA

  1. Enable 2FA in the Control Room.
    1. Log in to the Control Room as an administrator.
    2. Navigate to Administration > Settings > Security settings > Two factor authentication.
    3. Click Edit to configure the settings.
    4. Select Enable. This is not enabled by default.
    5. Choose the settings based on your requirements:
      Option Action
      All users Select this option to enable 2FA for all users who have access to the Control Room.
      Selected roles To enable 2FA for users with specific roles:
      1. From the Available roles column, search and select roles for which you want to enable 2FA.
      2. Move these roles to the selected column.
    6. Save your changes.
  2. Optional: If a user's registered (mobile) device is unavailable or changed, delete the device and register a new one.
    1. Log in to the Control Room as an administrator.
    2. Navigate to Administration > Users.
    3. Select the user that you want to edit. Hover over the action menu (vertical ellipsis) located to the right of the username and click View user.
    4. In the Authenticators section, select the device that you want to delete, click the delete icon, and confirm deletion.
  3. Set up an authenticator application and establish a connection between the authenticator application and the Control Room.
    1. Log in to the Control Room as a Citizen Developer or a Bot Creator (RPA Developer).

      Ensure that you have an authenticator application set up on your mobile device. During your first login, a QR code is displayed.

    2. Either scan the QR code using your authenticator application or manually enter the code displayed in the authenticator application.
    3. Enter the name of your authenticator and the new code generated in your authenticator application.

      This is a temporary code that is refreshed every few of minutes based on your authenticator application.

    4. Click Confirm.

      Follow the next steps in the login flow, change your password and set the security questions. You will be successfully logged in to the Control Room. On subsequent logins, you must enter the code generated in your authenticator application and confirm.

  4. Optional: You can manage (add or delete) your authenticator device.
    1. Log in to the Control Room as a Citizen Developer or a Bot Creator (RPA Developer).
    2. On the Home page, click your username.
    3. Navigate to My settings > Two factor authentication.
    4. Click the plus (+) icon.
    5. Perform steps 3.b through 3.d.
    6. Optional: Select the device that you want to delete, click the delete icon, and confirm deletion.