| At line 1 changed one line | 
| In CrushFTP version 9 we can integrate our One Time Password (__[OTP|OTP Settings]__) based authentication feature with Google's software based token device __Google Authenticator__ , using Time based OTP (TOTP). The server provides a 80-bit secret key , on a per user basis, as a QR code, that can be imported using Authenticator's QR reader.\\ | 
| CrushFTP has One Time Password (__[OTP/MFA|OTP Settings]__) based authentication feature with Authenticator software-based token device (__Google Authenticator__ and __Microsoft Authenticator__), etc, using Time based OTP (TOTP) / MFA. The user can register a QR code into their Authenticator app.\\ | 
| At line 3 changed 2 lines | 
| !!!Server side configuration\\ | 
| Will need to enable one of our __[OTP|OTP Settings]__ methods, using SMS or Mail based OTP, and enable the __Validated logins__ checkbox. The user needs to be able to log in at least once, using conventional __[OTP|OTP Settings]__.\\ | 
| !!1. Server side configuration\\ | 
| The config needs the URL set to __SMTP__ and the checkbox for __Validated Logins__ enabled.\\ | 
| At line 8 changed one line | 
| The second step is to configure the user account with __Two Factor Authentication__\\ | 
| Next enable the two factor __QR code generator__ which will appear in the user's __User Options__ menu when they are logged in.\\ | 
| At line 10 changed one line | 
| [attachments|servercfg002.png]\\ | 
| [attachments|enable_two_factor.png]\\ | 
| * You can also force two factor registration, then the user has no choice but to enroll in it at their next login.  Set the customization flag __Two Factor: force Authenticator setup__ to true.  See the mini animated gif of the process below.\\ | 
| At line 12 changed one line | 
| and enable the __QR code generator__\\ | 
| !!2. Client / token device configuration\\ | 
| The user will need to log in normally, generate the QR code from the client UI __User Options__ menu.\\ | 
| At line 14 changed one line | 
| [attachments|servercfg003.png]\\ | 
| [attachments|qr_otp.png]\\ | 
| At line 18 added 13 lines | 
| __This part must be done within 30 seconds or the QR code becomes invalid.__\\ | 
| 1.) Once they are ready and have the Authenticator app open on their mobile device, they click __Ready To Scan__.\\ | 
| 2.) Choose to scan the QR code, point the device towards the screen, and let it read in the QR code.\\ | 
| 3.) Next click __Confirm__ to save the same code to the server's user configuration.\\ | 
| \\ | 
| Google Authenticator\\ | 
| [{Image src='tokencfg002.png' width='272px' height='..' align='left'}]  [{Image src='tokencfg003.png' width='272px' height='..' align='left'}]\\ | 
| \\ | 
| Microsoft Authenticator\\ | 
| [{Image src='IMG_2500.jpg' width='272px' height='..' align='left'}]  [{Image src='IMG_2501.jpg' width='272px' height='..' align='left'}]  [{Image src='IMG_2502.jpg' width='272px' height='..' align='left'}]\\ | 
| \\ | 
| __WARNING:__ the QR code is valid for 30 seconds, if the time window is missed you will need to generate new, or it will not save. Once a secret key has been saved from the QR code, and confirmed, it can only be reset by a server administrator.  It's a one-time process.\\ | 
| \\ | 
| At line 33 added 41 lines | 
| !!3. Possible scenarios regarding the cooperation of admin and the end-user:\\ | 
| \\ | 
| Prerequisites: | 
| \\ | 
| -a working Google Authenticator app on a mobile device\\ | 
| -in the User Manager -> user -> Webinterface -> Available customizations section the __Enable two factor registration__ is set to True. This can be enabled on the __default__ template account or on the group template account so all other users will inherit the setting from the template user.\\ | 
| -on Preferences -> General Settings -> OTP section the __Validated Logins__ option must be enabled (A on the first screenshot)\\ | 
| -for the 2nd option the user account has to be configured with an email address. Also, the server needs to have a working SMTP relay configured on Preferences -> General Settings -> SMTP section. | 
|  | 
|  | 
| 1. This is the easiest method for the admin. | 
| The option of __Google Authenticator Auto Enable__ on Preferences -> General Settings -> OTP section is enabled (B on the first screenshot). | 
| In User Manager the __Two factor OTP/SMS authentication__ option is disabled. | 
|  | 
| The end-user logs in with username and password, and initializes the __Setup of 2 factor auth__ via the User Options button, scans the QR code, and hits the Confirm button. | 
| In the background, CrushFTP writes the Two factor authentication Secret to the user account and takes care of enabling the __Two factor OTP/SMS authentication__ option for the user. | 
|  | 
| 2. | 
| The option of __Google Authenticator Auto Enable__ on Preferences -> General Settings -> OTP section is left in disabled state. | 
| In User Manager the __Two factor OTP/SMS authentication__ option is enabled by the admin. | 
|  | 
| The end-user enters its username and password on the login page. A popup will be prompted asking for the email-based token, then the user is allowed to log in and initialize the Setup of 2 factor auth via the User Options button. Next time won't get an email, and at the token popup enters the 6-digit code generated by Google Authenticator. | 
|  | 
| 3. | 
| The option of __Google Authenticator Auto Enable__ on Preferences -> General Settings -> OTP section is left in disabled state. | 
| In User Manager the user doesn't have the __Two factor OTP/SMS authentication__ option enabled | 
|  | 
| The end-user logs in with username and password, and initializes the Setup of 2 factor auth via the User Options button, scans the QR code, and hits the Confirm button. | 
| In the background, CrushFTP writes the Two-factor authentication Secret to the user account, but the Admin needs to activate the __Two factor OTP/SMS authentication__ option for the user. | 
|  | 
|  | 
| __[DMZ|DMZ]__ - Main node scenario: on Preferences -> General Settings -> OTP section the __Validated Logins__ option must be enabled on the DMZ node, so the DMZ gives the two-factor authentication to the Main node. | 
| \\ | 
| ---- | 
| \\ | 
| Google Authenticator for Webinterface logins only, enrolling is not possible via FTP, SFTP. | 
| A hidden flag in __prefs.XML__ controls for which protocols OTP should be enabled by default | 
| {{{ | 
| <twofactor_secret_auto_otp_enable_protocols>ftp,ftps,sftp,http,https,webdav</twofactor_secret_auto_otp_enable_protocols> | 
| }}} | 
| \\ |