Introduction
LogonBox supports user authentication via the third party Google Authenticator app. This article explains how to configure your LogonBox to use this method.
1. Configuring the Authentication Scheme
It is important to note that you can apply different authentication flows for six different types of logon: User Login, Password Reset, Account Unlock, Windows Login, SSO and Admin Logon.
Each of these can have their own default authentication flow configured, but for this article we shall alter Password Reset.
Navigate to Authentication Flows->Schemes->Password Reset. Note that by default this is configured with a blue Username module and perhaps a green User Selective 2FA one.
Google Authenticator is a green module, so it must exist along with either a blue or an orange module, which we already have here.
Let’s remove the existing green module and add the Google module by clicking the plus icon next to Google Authenticator to add it into the authentication flow.
This module should be placed anywhere after the Username one, If you have more than one green module you can change their order by simply dragging the module from its default position to wherever you need it and click Save at the bottom.
2. Google Authenticator options
There are some options you can choose to configure for Google Authenticator access if required. Edit the Password Reset flow again and click on the edit icon inside the Google Authenticator module to see these settings.
The first setting is for the Issuer text. A user's mobile will display this name in the app to help them distinguish the server this particular one-time code is for.
Alter the issuer name as required (or leave as default). The other text messages you could alter are the Prompt and Setup prompt.
If you are using Google Authenticator on its own, it is recommended to turn off Enabled Registration, otherwise anybody would be able to register another person's email address.
In the Apps tab are links that will be provided to users as they register for Google Auth.
Click Apply to save the changes, then Save the authentication scheme.
Before users can use this method of authentication, they first need to have the Google Authenticator app installed on their mobile, but they also need to have their LogonBox account configured for the service.
3. Add to the User Login and enable registration
As we don't want users to be able to register on a password reset (i.e we want the users to be able to identify themselves before setting up), now edit the User Login authentication flow, add Google Authenticator after Username + Password then click the edit icon on the Google module.
Ensure that Enable Registration is turned ON and click Apply, then Save the Authentication Flow.
4. User setup
To set up a user for Google Authentication, they must log in to My Account in order to register.
The user is now prompted to configure their mobile app. The links to install the app are provided here also for easy access.
The user opens the Authenticator app on their mobile and must add a new account by clicking the Plus icon.
Choose the option for Scan a QR code which activates the mobile camera. Use this to scan the QR code visible on the screen.
The new Authenticator account should be visible in the app and it will be showing a one-time password.
(Note that the user could optionally use the secret key option instead, but camera is less prone to errors if you can use the option).
When you see this has been set up, back on the LogonBox authentication page, tick the option to confirm you have set up the account and click Next to continue.
The user is then prompted to enter the passcode from the Authenticator app, which changes every 30 seconds.
Enter the code and click Next to continue.
The authentication process then continues and the user is logged on.
5. Resetting a user's Google Authenticator
If a user is unable to log on using Google Authenticator any more, perhaps because they have a new mobile device or they deleted their Authenticator account or app, then they will need their Google Authenticator account resetting so that they can configure their account from new, as per step 3 above.
This can be done via an admin account. Navigate to Users Directory. Find the username to reset and click on the green gears icon.
Select the Reset Google Authenticator option.
You will receive a message stating that the user has been reset.
6. Testing
As we have configured this scheme for Password Reset, to test this click on the Reset Password link on the main LogonBox portal.
The user enters their username and clicks Next.
The user then enters the passcode from the Authenticator app and clicks Next to continue.
The user can now reset their password.
