Two factor authentication (2FA) is available to improve security when a user accesses their account or certain organisation sites.
This article describes the settings and options for administrators when 2FA is active. Activate a Collaborate account and log in and Log in with two factor authentication describe how end-users experience 2FA.
Please note that 2FA settings are not available if your instance uses Thomson Reuters accounts to manage accounts.
Overview of 2FA
2FA provides extra security beyond the requirement to enter a password. If 2FA is enabled, account access requires information from two separate 'factors', the first that is only known by the user (the password), and a second that changes each time and is sent to the user (a passcode). Normally, this passcode is only seen by the user when needed (e.g. in their work email account or an authenticator app) and is valid only for a short period of time.
2FA may be activated at the system (instance) or individual site level.
Instance-level 2FA settings
Click your profile icon and then select System Admin, System settings, and finally Two factor authentication in the menu on the left.
The Two factor authentication screen allows you to set which users receive which kind of authentication requests, including the ability to adjust settings for specific organisations:
Selecting users and organisations that require 2FA
Use the selection boxes at the top of the panel to select which users must enter a 2FA passcode when they log in to Collaborate:
- All users - Every user in an instance of Collaborate will be subject to 2FA (Email or App)
- System Admins - For additional security, all System Administrators should be subject to 2FA
This setting will apply to all System Administrators from all organisations. Different 2FA methods can be selected for administrators and users.
- Specific Organisations - If this option is selected, a field will be displayed below where a System Administrator can enter the names of organisations where the members will be subject to 2FA.
For example, if the System Administrator enters the organisation name 'Abbot, Baker & Chadwick' (an example law firm that had licensed that instance of Collaborate) then every user from Abbot, Baker & Chadwick would be required to enter a passcode when logging in.
This setting is useful when certain users, but not all users, in an instance require 2FA, or require a different type of 2FA authentication.
You can add multiple organisations, each of which sets exceptions for members of each organisation. Members of different organisations would then follow the selected multi-factor authentication requirements.
If a user is not a member of an organisation, nor a system admin, then they are subject to the selection chosen for All users.
Choose the authentication method
By default, the passcode is sent by Email to the user's registered email address. If Authenticator/HighQ apps or Authenticator app is selected then no email will be sent; instead, the user must use an authenticator app to generate the passcode.
- Email sends the passcode to the email address associated with the user's account
- Authenticator/HighQ apps allows the user to either download and use a third-party app (e.g. Google authenticator or PingID) or a HighQ app (HighQ Drive or HighQ Stream)
- Authenticator app only allows the user to choose a third-party app (e.g. Google authenticator or PingID)
More information is available here.
If the setting is set to Authenticator/HighQ apps and this is later changed to Authenticator apps then any user who has paired with a HighQ app has their 2FA status forcibly reset. They must perform the entire pairing process again with a third-party authenticator app.
Time available to enter a passcode
Passcode expiry time determines the amount of time a user has to enter a passcode after it has been sent. Any number of minutes can be selected, but it is suggested that this time is not set lower than two minutes. This provides users with enough time to receive the email and enter the passcode. If the passcode has expired by the time the user tries to enter it, a replacement passcode is sent to the user.
Allow a device to be trusted
By default, when 2FA is enabled, each time an affected user logs in or starts a new session, they will be asked to enter a 2FA passcode. However, users may be permitted to trust a device.
A 'device' is a combination of (1) the computing device a user is using, such as a Windows PC, Mac, iPad, smartphone, etc., and (2) the browser the user is using.
If a device, such as a work computer, has been trusted, the user will no longer need to enter a passcode when accessing Collaborate from that specific device and browser. Trusting a device ('Passcode remember me') is an optional configuration setting that can be enabled if needed. If enabled, there is a choice between allowing users to trust any device or allowing them to trust only desktop devices.
The next setting determines the duration that a device can be trusted, in days. For example, if the duration is set for 30 days, then for 30 days after the device is trusted, a user will not need to enter a passcode when accessing Collaborate from that device. But after this, the user will again be asked to enter a passcode, at which time the user can also choose to trust the device for another 30 days.
Site-level 2FA settings
In addition to the instance-level 2FA options on the System settings page, 2FA can be required for specific sites in an instance, or a site can be restricted to require a limited selection of authentication apps.
Enable two factor authentication in Admin > Security (under Site Settings).
When 2FA is enabled at the site level, any time a site user tries to access the site, they will be prompted to enter a passcode. Until a user signs in, the site contents will neither appear in search results nor in places where content may be selected from a list of sites, such as when embedding a link to site content.
Site settings are identical to instance-level settings; the site-level selection is independent of the instance-level setting:
- Using Email sends the passcode to the email address associated with the user's account
- Using Authenticator/HighQ apps allows the user to either download and use a third-party app (e.g. Google authenticator or PingID) or a HighQ app (HighQ Drive or HighQ Stream)
- Using Authenticator app only allows the user to choose a third-party app (e.g. Google authenticator or PingID)
More information is available here.
Email or app authentication
Email
If the Email option is selected, the passcode is sent to the email address associated with the user's account, usually a work email address. Under normal conditions, only the user has access to their email account.
Authenticator app
If Authenticator/HighQ apps or Authenticator app is selected, and the user is using a third-party authentication app, the authenticator app generates passcodes, typically on the user's phone (for example Google Authenticator, Microsoft Authenticator or Cisco Duo). The user must then enter the given passcode to access the site.
If the user is using a HighQ authentication app, the authenticator app (for example HighQ Drive, HighQ Stream). The app automatically generates a notification that grants access to the site.
-
If the user is using a third-party authentication app, after logging in to the site with their username and password for the first time, a QR code is displayed. This is used by the app to identify the site and generate valid codes.
To see an example describing how to log in with Google Authenticator, see Log in with two factor authentication. The user should install the app (for example, from the Play Store or App Store) before logging in.
The user MUST keep the Authenticator app on their device and use it each time they log in (unless they have chosen to trust a device). If they reinstall the authenticator app or change device, they must contact their System Admin to reset their account's 2FA settings in User Administration.
When is a passcode required?
For system-level 2FA, a passcode will be sent when a user who is subject to the 2FA requirement attempts to log in to a new session. This happens when a user attempts to manually log in or has selected the 'Remember me' option on the login page, which allows them to bypass the login requirement on that device.
When a user who has selected 'Remember me' attempts to log in, they will not be asked to enter a password, but they WILL be asked to enter a passcode. If a 'Remember me' user's session has expired while they are in a Collaborate page and the user attempts to perform an action, they will first be asked to enter a passcode.
If 2FA is applied at the site-level, the same rules apply except the 2FA prompt will appear when attempting to access the site.
Exceptions for all users
The requirement to enter a passcode before accessing a site is subject to certain exceptions:
-
A 2FA passcode only needs to be entered once in any session. This may occur if:
-
the 2FA requirement is applied to the user's organisation and a 2FA passcode was entered during login,
-
the user was required to enter a 2FA passcode when accessing another site, or
-
the user had previously entered a 2FA passcode to access the same site.
-
If the user has used Single Sign-On, then no passcode will be required when entering a site associated with that Single Sign-On.
Exceptions for administrators
The 2FA requirement does not apply when a System Administrator attempts to proxy log in as another user.
Removing trusted status from a device
If a user has chosen to trust a device and then wants Collaborate to 'forget' that device, the user can simply manually log out from that device and it will be forgotten.
Incorrect passcodes and locking an account
If a user fails to enter the correct and unexpired passcode three times in a row, that user's account will be locked, just as if they had tried but failed to enter their password three times in a row. A user may reset their password.
Use cases
2FA can be useful to ensure that former employees who previously had access to one or more sites, no longer have access. After an employee leaves a company, typically they no longer have access to their work email account. If 2FA is enabled, and the user's account is still active, and the user attempted to log in, the user would not be able to access the site because they would not have access to the passcode sent to their work email.