1. What is Two Factor Authentication (2FA)?
2FA stands for Two-Factor Authentication which is a special case of Multi-Factor Authentication. MFA is a security technique that uses more than one step to authenticate a user. For example, it can use something that the user knows (usually a password), something that the user has (a physical key, credit card, USB token, smartphone), and/or something that the user is (fingerprint, voice recognition, retina scan). We already use the first way (or factor) of authentication – you have to know your password to get access to your Kanbanize account. However, passwords alone do not provide the best security since there are various ways in which they can be stolen. So, if you are one of our customers who are concerned about the safety of their data, worry no more – we’ve got you covered! 2FA is available as an add-on (in combination with SSO) for subscription plans, you have to add it to your Kanbanize subscription:
Here’s how it works:
2. How to Set Up 2FA?
1. The Kanbanize Account Owners can turn on 2FA for each user (or all at once) from the Administration Panel:
2. Once 2FA has been enabled for a user the next time he or she tries to log in a 2FA setup screen will appear:
3. By following the instructions and scanning the QR, the user saves their personal 2FA secret key in our mobile app.
Set up complete!
3. How to Use 2FA?
1. The user tries to log in from the web. After entering their username and password a second screen appears asking for a One-time Password:
(Alternatively, the user can also verify the login from the confirmation request notification sent to their device from the Kanbanize mobile app.)
2. The user opens the Kanbanize app on their phone and goes to Menu > One-time Password:
3. Enters the current One-time Password in the web form:
It’s important to note that the setup screen appears only the first time after 2FA has been enabled. Once the setup is complete, you won’t be able to see your secret key again. So, if you want to use 2FA on more than one device, you should save your secret key on all of them before completing the setup. If at a later point you need to re-setup your 2FA you should ask the Kanbanize Account Owner to reset your 2FA key:
1. Open the Administration panel and click the three dots to open the User Menu.
2. Click “Reset 2FA key” (Note: this button will appear only if the user has already completed the setup of a 2FA key):
Now, what if you don’t have an iOS or Android device!? Don’t worry – we have a solution for you, too! Our implementation of 2FA is completely compatible with Google Authenticator and the numerous third-party compatible implementations that cover Blackberry, Windows Phone, and lots of other operating systems.
If after entering your 2FA key the OTPs that the app generates are invalid here are some things to check:
If you entered the key manually one obvious thing to try is entering it again to rule out typos (scanning the QR code saves you this trouble).
We already mentioned that in the setup screen but make sure your phone’s time is correct.
Ask your Kanbanize Account Owner to reset your 2FA key.
If nothing of the above helps or you have another problem, contact our support and we’ll help you solve the issue.
Also, one technical thing worth noting: once 2FA is enabled for a particular user it will affect not only the web login process but also our REST API. Generally, you use the API in two ways:
• Through our mobile apps
• Through a custom third-party app
As far as our apps are concerned you don’t have to worry about anything – once you set up 2FA on your device, the app will do what’s needed behind the scenes and you will continue using it as before. However, a problem may arise if you use our app on more than one device. In this case, you have to set up your secret key on all of them.
Using the API with 2FA through a custom third-party app will be a little more challenging! For every request (except for Login) you will have to supply an HTTP header named “otp” with the current valid One-time password. Use Google Authenticator’s time-based algorithm to generate OTPs. Before that, you will have to save your personal 2FA secret key in a secure place. Currently, Google Authenticator’s source code is proprietary but it was open-source until version 2.21 so you can use it as a reference here.