eG Help

eG Administration

Two-Step Verification - Manager Settings

eG Enterprise supports two-factor authentication - a.k.a two-step verification - for validating user logons to the eG management console. This requires the user to validate with a unique code in addition to user name and password.

Using two-step verification, eG Enterprise:

Discourages attacks that involve user impersonation to gain access to sensitive data;
Ensures secure access to the eG Enterprise, without putting the user network and sensitive information at risk;
Boosts user productivity and instills user confidence in the eG Enterprise, by dispelling their fears of data breach

To enable the two-step verification, follow the steps below:

Login to the eG management console.
Follow the Admin -> Settings -> Manager menu sequence in the eG admin interface.
In the tree-structure in the left panel of the page that appears, you will find an Account Security node. Expand this node and click the 2-step Verification sub-node within. Upon clicking, the right panel of the page will display the options.
To enable 2-step verification, set the Enable 2-Step Verification flag to Yes.
An administrator can enforce 2-step verification as an enterprise-wide standard, which will be irrevocably applied to all users (existing and new) registered with the eG Enterprise. To achieve this, set the Enforce the feature as an enterprise security standard flag to Yes. Alternatively, the administrator can allow users the freedom to choose between enabling 2-step verification and not. For this, set the Enforce the feature as an enterprise security standard flag to No.
If you had set the Enforce the feature as an enterprise security standard flag to Yes, then the following steps will apply:
- The key requirement of standardization is that all registered users should be configured with email IDs. This is because, the verification code or the secret key required to obtain the verification code is communicated to users via email. Without the verification code, the second step of the two-step verification process cannot be completed. This is why, if one/more users do not have an email ID configured for themselves in the eG Enterprise, then the names of such users will be displayed.
- You will be able to proceed with the standardization only after all the users are configured with email IDs. Therefore, to configure an email ID for a user, click on the user name. This will allow you to edit that user's profile in eG. When the Modify User page appears, click the Next button to switch to the next page of the user's profile.
- Scroll down the page that appears next until the Mail/SMS Settings section comes into view. In the To text box of the Mail/SMS Settings section, provide a valid email ID for the user. Finally, click the Update button to save the changes.
- This way, you will have to configure an email ID for every user listed.
  
  Note:
  
  A user who is assigned the Admin role - eg., the default admin user of the eG Enterprise - can edit the profile of any other user registered with the eG Enterprise, except that of an Organization or a Supermonitor. This means that an Admin user cannot configure email IDs for an Organization or a Supermonitor, using the procedure discussed above. A user will have to explicitly login to the eG Enterprise as an Organization and as a Supermonitor to configure email IDs for these accounts.
- Once all users are configured with email IDs, a One-Time Password (OTP) flag will appear.
  
  The second step of the 2-step verification process requires that the user supply a verification code / OTP (One-time Password) at the login prompt to validate the login. The administrator can configure eG Enterprise to auto-generate this verification code/OTP and automatically email the same to the user at the time of login. To send OTP via email to users, set the One-Time Password flag to Receive via email. Alternatively, users can generate the OTP using the Google Authenticator app on their mobile phones/desktops. To enable the use of Google Authenticator, set the One-Time Password flag to Generate via Google Authenticator.
  
  Note:
- By default, the One-Time Password flag setting automatically applies to all users registered with the eG Enterprise. In other words, if this flag is set to Receive via email, then all eG users will receive their OTP/verification code only via email. Likewise, if this flag is set to Generated via Google Authenticator, then all eG users will only be able to use the OTP/code that Google Authenticator generates for logging into the eG web console.
  
  If required, individual users can override this flag setting by editing their respective user profiles in eG. For instance, where email delivery of OTP is the enterprise standard, a single user may prefer to use Google Authenticator instead. Such a user can override the enterprise standard by editing his/her profile in eG. For this, the user should do the following:
- The user should first connect to the eG web console using a browser.
- In the login page, the user should provide valid login credentials - i.e., a valid user name and password.
- The user will now be prompted for a verification code/OTP. Here, the user should supply the OTP/code they receive via the mode that is the enterprise standard. In the case of our example, the user should use the OTP/code received via email.
- Upon logging in, the user should click on the User icon on the tool bar of the console to edit his/her profile.
- The user should then scroll down the user profile to view the 2-Step Verification section.
- Here, the user should set the One-Time Password (OTP) flag to the mode of his/her choice. In the case of our example, the user should set it to Generate via Google Authenticator.
- If the OTP/code is set to be generated via Google Authenticator, then the users should perform the following configurations to ensure that Google Authenticator generates the OTP/code they need to login.
- The Google Authenticator should first be downloaded and installed on the user's mobile phone/desktop.
- Then, the user should open the Google Authenticator app (on the mobile phone/desktop) and add a new entry by clicking the ‘+’ symbol.
- Then, the user has to pick the Manual entry option.
- In the mean time, eG Enterprise auto-generates a ‘secret key’ for the user and sends it to the email ID configured in that user's profile in eG. When the next window appears, the user should first enter a valid email address under Account, then copy the secret key from the email, and paste it in the Key text box.
- Once this is done, the user will see a time-based one-time password (TOTP) being generated and displayed on screen. This is a 6-digit code, which will change every 30 seconds. At the time of logging into the eG web console, the user should check the Google Authenticator app for the TOTP. When prompted for a verification code, the user should provide the TOTP that is valid at that time. Once the correct TOTP is specified, the user will be allowed access to the eG web console.
- Finally, click the Save button to register the changes.
If the Enforce the feature as an enterprise security standard flag is set to No, it means that the administrator is allowing the individual users to decide what is right for them - whether to secure their logins to eG Enterprise using 2-step verification? or not to? Once this is done, the administrator can click the Update button to save the changes.

Note:

In this case, if a user later decides that they want the security blanket offered by 2-step verification, then they can enable this feature by editing their profile in eG. To achieve this, the user has to do the following:
- The user should first login to the eG web console.
- Upon logging in, the user should click on the User icon on the tool bar of the console to edit his/her profile.
- The user should then scroll down the user profile to view the 2-Step Verification section.
- Here, the user should set the Enable 2-Step Verification flag to Yes. Then, using the One-Time Password (OTP) flag, the user should indicate how they want the OTP/verification code to be generated and sent to them - via email? or via Google Authenticator? If this flag is set Receive via email, then the user should make sure that his/her profile is configured with an email ID. If this flag is set to Generated via Google Authenticator, then the user has to ensure the following:
  - An email ID has to be configured in the user's profile in the eG Enterprise;
  - The Google Authenticator app has to be installed on the user's mobile phone/desktop, and should be configured to generate the OTP/verification code. The steps for configuring the Google Authenticator are discussed in page 1above.