Two Factor Authentication for Admin Users
Two-factor authentication is the process of logging in using two seperate methods to confirm an admin user's identity. If enabled, Kiva Logic uses email and text message as the two methods to identify an admin user.
To further secure admin accounts, two factor authentication can be enabled which will require all admin users to provide a cell phone number that they can receive a text message on for two factor authentication.
Login with Two Factor
After entering in the username and password, the admin user is take to the two factor authentication page.
When the user clicks 'get code', the system will:
generate a random 6 digit code
hash the code and store it, along with a created timestamp, and an expiration timestamp 5 minutes into the future.
- send a code via sms to the user's phone
When the user enters in the code, it is compared with the stored hash, and if valid, completes the login process.
For each login attempt, admin users are allowed to try entering a code 3 times. After the third time, the login process is exited and the user is sent back to the main login page.
If the user exceeds more than 10 bad attempts in 24 hours without having a successful login, their account is suspended.
Codes expire after 5 minutes.
If any non-expired codes exist when a new code is generated, they are marked expired.
Each code also has the amount of failed attempts tracked with it
- Log entries exist for each failed attempt, account suspensions, two-factor login process process starts, and succesful two-factor login.
Admin Email Notifications
Admin User Login with 2-factor authentication failed attempt
If an admin fails to complete the login process and has 3 failed attemps at entering in the correct code, this admin email notification is sent to any admin users that have it enabled.
Admin user suspended for too many failed authentication attempts
If the user exceeds 10 attempts in a 24 hour period, they are suspended. This email notification is sent to any admin users that have it enabled. At this point, if the suspension was the result of human error, then you should restore the admin user's access by updating their admin type.
If possible nefarious activity is suspected, contact Kiva Logic support immediately and do not un-suspend the admin user.