This article is intended to inform administrators on how to configure MFA in Issuetrak. If you are not an administrator, then you should instead view the steps for configuring MFA as a user in the My Settings article.
Issuetrak natively supports multi-factor authentication (MFA) for users that use Issuetrak authentication.
There are two supported methods of MFA. You may select only one method to use per user account:
- Time-based One-Time Passcode (TOTP) - An app such as Google Authenticator or Authy generates a 6-digit passcode that the user must enter in addition to their issuetrak credentials.
- Email-based one-time passcode - Upon entering their credentials, they will be emailed a one-time passcode that must additionally be entered to access Issuetrak. This requires that the user has a valid email address and that Issuetrak has Outgoing Email configured and functional.
Additionally, you may decide to require all of your users to use MFA. Note that once you set the option to require MFA in your site, all Issuetrak-authenticated users with valid email addresses that haven't configured MFA will then be enrolled in email one-time passcode MFA. Users who do not have MFA set up and don't have an email address will not be able to log in.
Time-Based One-Time Passcode (TOTP)
One of the available MFA options is to configure a mobile device to provide a new six-digit one-time passcode every 30 seconds, which users will enter on a screen following the usual Issuetrak login prompt.
How to Configure
You can assist an Issuetrak-authenticated user with configuring TOTP if they are able to visit your workstation in person, or if you are able to share your screen.
Steps:
- Sign into Issuetrak as an administrator.
- Click the gear icon in the top-right corner to open the Settings lightbox.
- Click Users under the Entities header.
- Find and view the user account that needs TOTP configured.
- Under the Security Details header, click on Manage Multi-Factor Authentication.
- In the pop-up that appears, under the Authenticator header click on Configure. Note that if Email one-time passcode is already configured, you'll receive a pop-up asking for you to confirm that you are invalidating that MFA method for this user.
- Have the user open their chosen MFA app on their phone (Google Authenticator, Authy, etc) and scan the QR code that appears on your screen.
- Have the user provide the 6 digit number from the app. You will need to enter it on the screen underneath the Verify header, then click on Pair Device.
- The screen will pause for a moment and then display this user's Backup Codes. Each backup code can be used once to bypass the MFA prompt. Provide these codes to the user and ask them to keep these in a safe place.
- (Optional) Have the user test the functionality: They should authenticate to Issuetrak as they normally would. Once they enter their credentials and click Sign In, another screen will appear and they will be prompted to enter the 6-digit number from their authentication app. After successfully entering that number, they should be presented with their Issuetrak home screen.
Backup Codes
At the end of configuration in step 9 above, the user is presented with ten backup codes. The purpose of these is to be used in place of the app-generated passcode. A backup code can only be used once. If all backup codes get used for a user account, then it will be necessary to configure MFA for that user account again to generate new codes.
Email One-Time Passcode (OTP)
The other available MFA option is to have your Issuetrak instance generate and email each user a one-time passcode when they correctly enter their Issuetrak credentials at the login prompt. After successfully entering their Issuetrak credentials, they will be presented with an MFA screen prompting them to enter the code they were emailed to complete the login process. This process will re-occur every time they sign into Issuetrak.
How to configure
It is only possible to use Email OTP if Outgoing Email is properly configured in your site, and the target user has a valid email address associated with their user account. You can assist an Issuetrak-authenticated user with configuring an email OTP by triggering an initial passcode email to the user and then getting in touch with them to obtain the passcode.
Steps:
- Sign into Issuetrak as an administrator
- Click the gear icon in the top-right corner to open the Settings lightbox.
- Click Users under the Entities header.
- Find and view the user account that needs TOTP configured.
- Under the Security Details header, click on Manage Multi-Factor Authentication.
- In the pop-up that appears, under the Email header click on Configure. Note that if an Authenticator App one-time passcode is already configured, you'll receive a pop-up asking for you to confirm that you are invalidating that MFA method for this user.
- Have the user provide you with the passcode they were just emailed.
- Enter the passcode and click Verify.
- If successful, their account is now configured to email them a new passcode each time they successfully authenticate to Issuetrak.
- (Optional) Have the user test the functionality: They should authenticate to Issuetrak as they normally would. Once they enter their credentials and click Sign In, another screen will appear and they will be prompted to enter the one-time passcode from their email. After successfully entering that passcode, they should be presented with their Issuetrak home screen.
Remember Me (30 days)
When users are entering their MFA code to sign into Issuetrak, they can choose to check the box next to Remember me (30 days). Selecting this option will prevent Issuetrak from prompting the user for an MFA code for the next 30 days.