Two Factor Authentication

Two-factor authentication is the process of logging in using two seperate methods to confirm an admin user's identity. If enabled, Kiva Logic uses email and text message as the two methods to identify an admin user.

To further secure admin accounts, two factor authentication can be enabled which will require all admin users to provide a cell phone number that they can receive a text message on for two factor authentication.

Login with Two Factor

After entering in the username and password, the admin user is take to the two factor authentication page.

two-factor.jpg

When the user clicks 'get code', the system will:

  • generate a random 6 digit code
  • hash the code and store it, along with a created timestamp, and an expiration timestamp 5 minutes into the future.
  • send a code via sms to the user's phone

code-sent.jpg

text-message.jpg

When the user enters in the code, it is compared with the stored hash, and if valid, completes the login process.

Restrictions

  • For each login attempt, admin users are allowed to try entering a code 3 times. After the third time, the login process is exited and the user is sent back to the main login page.
  • If the user exceeds more than 10 bad attempts in 24 hours without having a successful login, their account is suspended.
  • Codes expire after 5 minutes.
  • If any non-expired codes exist when a new code is generated, they are marked expired.
  • Each code also has the amount of failed attempts tracked with it
  • Log entries exist for each failed attempt, account suspensions, two-factor login process process starts, and succesful two-factor login.

Admin Email Notifications

2fa-notifications.jpg

Admin User Login with 2-factor authentication failed attempt

If an admin fails to complete the login process and has 3 failed attemps at entering in the correct code, this admin email notification is sent to any admin users that have it enabled.

Admin user suspended for too many failed authentication attempts

too-many-failed.jpg

If the user exceeds 10 attempts in a 24 hour period, they are suspended. This email notification is sent to any admin users that have it enabled. At this point, if the suspension was the result of human error, then you should restore the admin user's access by updating their admin type.

If possible nefarious activity is suspected, contact Kiva Logic support immediately and do not un-suspend the admin user.