Two-Factor Authentication
Macula servers support two-factor authentication (2FA) for the Macula Console and Macula Monitor logins. It is disabled by default, and you can turn it ON via server policies. When 2FA is enabled, all users who want to connect to your Macula server and who are not an exception, will have to enter both their password and a code they receive. Thus, the users prove their identity not just by entering what they know (the password) but also what they have (the email or phone). By default, this policy affects all users; you can disable 2FA for individual users in their permissions.
Terminology:
session: an established connection between client and server once the user logs in
code: a numeric code sent to the user's email
notification provider: an SMTP server or a GSM modem that will relay the notification
The recommended course of action is: first, create a notification provider, then fill in all the settings, save, and then enable and test 2FA.
2FA Settings
2FA is configured via server settings: in the Configuration section, choose Servers on the left, then double-click your server to open its properties. In case of a Macula Global system, make sure to open the central management server properties.
The following settings are available here:
Enable two-factor authentication
If selected, additional authentication will be required for server login
Disabled
Set up notification providers
Set up desired providers (using email servers or other means) that will be used for sending out authentication codes
[button]
Session expiration time
During this time period, 2FA will not be requested again if a client was disconnected by server; after this time or after user-initiated disconnect, the user will have to use additional authentication again
1 day
Code expiration time
The time period during which the sent code will be valid, starting from the code send out moment; after this time, the user will have to request another code
00:05:00 (5 minutes)
Code generation interval
The minimum time interval between two consequent code requests; the user will be unable to request a code more frequently
00:00:10 (10 seconds)
Skip for localhost connection
If enabled, 2FA will not be applied to localhost connection
Enabled
Subject
Message subject line, can consist of text and macros (via right-click)
{SESSION_ID}
Body
Main message part, can consist of text and macros (via right-click)
{CODE}
When you try enabling 2FA, you will get a warning that you need to test 2FA before saving the configuration. This is necessary to ensure that all the settings are correct and 2FA actually works; otherwise, you or other user(s) may be unable to log into the system at some point. The 2FA verification will start once you click OK to save the settings and close the window.
Settings to be verified before enabling 2FA:
make sure you have added a valid 2FA notification provider (SMTP server or modem)
add a contact email/phone number for each user
we recommend that you allow at least one administrative user account to log in without 2FA, or that you disable 2FA for localhost connections: this is to ensure that you do not lose access to the system if your 2FA notification provider fails or becomes unavailable
You can configure 2FA without enabling it, verify these settings, and then finally enable 2FA.
The best approach for 2FA configuration:
In 2FA settings, add a notification provider and adjust everything but do not enable 2FA yet, click OK to save.
Make sure your email server or GSM modem used as a notification provider is valid, and that all users have correct emails/phone numbers in their account properties.
Go to 2FA settings again and enable it, then go through the verification.
When you turn off 2FA, you will have to go through the setting verification again next time you enable it. If you make changes to the 2FA settings and enable it at once, this test verification will use the previous settings for formatting and intervals (because it happens before saving the settings, and these will not be saved until you pass 2FA successfully).
Two-factor authentication is a recommended setting when you choose the highest cybersecurity level - the system will check if 2FA is enabled and remind you with a warning mark if it is not.
Set Up Notification Providers
You can set up one of multiple notification providers of each kind to give your users an alternative in case one of the providers does not work or is unacceptable for some reason.
To add a new notification provider, click the corresponding button in the 2FA settings. In the dialog box, you will see the list of existing providers (none exist by default). Click the + New.. button in the bottom or use the drop-down arrow to see all options.
For each provider, specify:
Title: name that will be shown to the user (so make sure to include the communication means, e.g., Email via Office 365)
Mail server: for e-mail notification providers, choose one of the pre-configured SMTP servers
GSM modem: for messages, choose one of the pre-configured modems
If you have no pre-configured means of notification delivery, add them, and then return to this screen.
Click OK to save the provider, then click OK to go back to 2FA settings. All created providers will be shown to the user when they try logging in.
To edit an existing provider, use the pencil button on the top panel; to remove any of the items, select it and then click the Recycle bin button. Removed providers will be erased from the list, but the related email servers & modems will be preserved.
Last updated