| At line 1 changed one line | 
| In CrushFTP version 10 we can integrate our One Time Password (__[OTP|OTP Settings]__) based authentication feature with Google's and Microsoft's software-based token device __Google Authenticator__ and __Microsoft Authenticator__, using Time based OTP (TOTP). The user can register a QR code into Google Authenticator or Microsoft Authenticator app.\\ | 
| CrushFTP has One Time Password (__[OTP/MFA|OTP Settings]__) based authentication feature with Authenticator software-based token device (__Google Authenticator__ and __Microsoft Authenticator__), etc, using Time based OTP (TOTP) / MFA. The user can register a QR code into their Authenticator app.\\ | 
| At line 3 changed 2 lines | 
| !!Server side configuration\\ | 
| You will need to enable one of our __[OTP|OTP Settings]__ methods, using SMS or Mail based OTP, and enable the __Validated logins__ checkbox. The user needs to be able to log in at least once, without OTP, or with the other __[OTP|OTP Settings]__ settings.\\ | 
| !!1. Server side configuration\\ | 
| The config needs the URL set to __SMTP__ and the checkbox for __Validated Logins__ enabled.\\ | 
| At line 8 changed one line | 
| The second step is to configure the user account with __Two Factor Authentication__\\ | 
| Next enable the two factor __QR code generator__ which will appear in the user's __User Options__ menu when they are logged in.\\ | 
| At line 10 changed one line | 
| [attachments|servercfg002.png]\\ | 
| [attachments|enable_two_factor.png]\\ | 
| * You can also force two factor registration, then the user has no choice but to enroll in it at their next login.  Set the customization flag __Two Factor: force Authenticator setup__ to true.  See the mini animated gif of the process below.\\ | 
| At line 12 changed 6 lines | 
| and enable the two factor __QR code generator__ which will appear in the user's __User Options__ menu when they are logged in.\\ | 
| \\ | 
| [attachments|servercfg003.png]\\ | 
| * You can also force two factor registration, then the user has no choice but to enroll in it at their next login.  Set the customization flag "Two Factor: force Google Authenticator setup" to true.  See the mini animated gif of the process below.\\ | 
| \\ | 
| !!Client / token device configuration\\ | 
| !!2. Client / token device configuration\\ | 
| At line 37 changed 2 lines | 
| !!Possible scenarios regarding the cooperation of admin and the end-user: | 
|  | 
| !!3. Possible scenarios regarding the cooperation of admin and the end-user:\\ | 
| \\ | 
| At line 40 changed one line | 
|  | 
| \\ | 
| At line 42 changed 2 lines | 
| -in the User Manager -> user -> Webinterface -> Available customizations section the "Enable two factor registration" is set to True. This can be enabled on the "default" template account or on the group template account so all other users will inherit the setting from the template user.\\ | 
| -on Preferences -> General Settings -> OTP section the "Validated Logins" option must be enabled (A on the first screenshot)\\ | 
| -in the User Manager -> user -> Webinterface -> Available customizations section the __Enable two factor registration__ is set to True. This can be enabled on the __default__ template account or on the group template account so all other users will inherit the setting from the template user.\\ | 
| -on Preferences -> General Settings -> OTP section the __Validated Logins__ option must be enabled (A on the first screenshot)\\ | 
| At line 48 changed 2 lines | 
| The option of "Google Authenticator Auto Enable" on Preferences -> General Settings -> OTP section is enabled (B on the first screenshot). | 
| In User Manager the "Two factor OTP/SMS authentication" option is disabled. | 
| The option of __Google Authenticator Auto Enable__ on Preferences -> General Settings -> OTP section is enabled (B on the first screenshot). | 
| In User Manager the __Two factor OTP/SMS authentication__ option is disabled. | 
| At line 51 changed 2 lines | 
| The end-user logs in with username and password, and initializes the "Setup of 2 factor auth" via the User Options button, scans the QR code, and hits the Confirm button. | 
| In the background, CrushFTP writes the Two factor authentication Secret to the user account and takes care of enabling the "Two factor OTP/SMS authentication" option for the user. | 
| The end-user logs in with username and password, and initializes the __Setup of 2 factor auth__ via the User Options button, scans the QR code, and hits the Confirm button. | 
| In the background, CrushFTP writes the Two factor authentication Secret to the user account and takes care of enabling the __Two factor OTP/SMS authentication__ option for the user. | 
| At line 55 changed 2 lines | 
| The option of "Google Authenticator Auto Enable" on Preferences -> General Settings -> OTP section is left in disabled state. | 
| In User Manager the "Two factor OTP/SMS authentication" option is enabled by the admin. | 
| The option of __Google Authenticator Auto Enable__ on Preferences -> General Settings -> OTP section is left in disabled state. | 
| In User Manager the __Two factor OTP/SMS authentication__ option is enabled by the admin. | 
| At line 61 changed 2 lines | 
| The option of "Google Authenticator Auto Enable" on Preferences -> General Settings -> OTP section is left in disabled state. | 
| In User Manager the user doesn't have the "Two factor OTP/SMS authentication" option enabled | 
| The option of __Google Authenticator Auto Enable__ on Preferences -> General Settings -> OTP section is left in disabled state. | 
| In User Manager the user doesn't have the __Two factor OTP/SMS authentication__ option enabled | 
| At line 65 changed one line | 
| In the background, CrushFTP writes the Two-factor authentication Secret to the user account, but the Admin needs to activate the "Two factor OTP/SMS authentication" option for the user. | 
| In the background, CrushFTP writes the Two-factor authentication Secret to the user account, but the Admin needs to activate the __Two factor OTP/SMS authentication__ option for the user. | 
| At line 68 changed one line | 
| __[DMZ|DMZ]__ - Main node scenario: on Preferences -> General Settings -> OTP section the "Validated Logins" option must be enabled on the DMZ node, so the DMZ gives the two-factor authentication to the Main node. | 
| __[DMZ|DMZ]__ - Main node scenario: on Preferences -> General Settings -> OTP section the __Validated Logins__ option must be enabled on the DMZ node, so the DMZ gives the two-factor authentication to the Main node. | 
| \\ | 
| ---- | 
| \\ | 
| Google Authenticator for Webinterface logins only, enrolling is not possible via FTP, SFTP. | 
| A hidden flag in __prefs.XML__ controls for which protocols OTP should be enabled by default | 
| {{{ | 
| <twofactor_secret_auto_otp_enable_protocols>ftp,ftps,sftp,http,https,webdav</twofactor_secret_auto_otp_enable_protocols> | 
| }}} | 
| \\ |