LogonBox version 2.3.0 and later introduces a new way to handle your user authentications for password resets and account unlocks.
This new method is called User Selective 2FA and allows you to easily give your users a set of options for authentication that suits them best.
Configuring User Selective 2FA
If you are setting up a new 2.3 system from scratch, the initial setup wizard should guide you through a quick setup.
If you have upgraded and want to run through the same setup, or if you wanted to reconfigure User Selective 2FA, you may launch the 2FA setup wizard from the Authentication Flows page by clicking on the Use Multi-Factor Authentication Wizard link.
You will be presented with a choice of all available authentication module and you can select any number of them, but you must select at least 2 so that users have a backup option available,
For an example here, we will select LogonBox Authenticator and Google Authenticator.
At the bottom of this page you can define how many of these selected authentications would be needed for a password reset (default 1).
Click Next to continue.
On the second page you can now select which Authentication Flows to attach User Selective 2FA to.
By default this will always select Account Unlock and Password Reset (which cannot be changed), but you could also opt to add this to other flows such as User Logon etc.
Click Save to complete the wizard.
Looking at the Authentication Flows page, you will see that as well as the default flows for user login, password reset etc there have been extra Authentication Schemes added that relate to the options you have set. i.e here, we see LogonBox Authenticator and Google Authenticator. Do not delete these as this is how the User Selective 2FA queries which modules are available.
You may edit any of these new Schemes to configure the modules if required. For example, if we edit LogonBox Authenticator...
then click the edit icon on the OTP module, we can define the text that is displayed as the password prompt for the user as well as other settings such as registration, push notifications and biometric authentication.
If any changes are made, click Apply, then Save to save the changes.
Along with the separate Authentication Schemes, the wizard has also automatically assigned the User Selective 2FA module to the Password Reset and Account Unlock schemes.
If you edit one of these schemes and click the Edit icon on User Selective 2FA, you may define the prompt that the user sees, as well as how many of these 2FA modules need to be completed to complete the Flow.
This defaults to 1 and is the same setting as in the wizard. Therefore as we defined 2 available modules in our above example, the user will only need to choose just one of these factors to authenticate themselves to the server.
There are some final settings relating to User Selective 2FA. The first setting can be found in Authentication Flows->Authentication Options->2FA.
Minimum User 2FA Credentials is the number of authentication modules you must configure in order to have a completed profile (default: 2). In our example, every user would need to set up both of the modules we added.
The last two settings can be found in Authentication Flows->Authentication Options->SMS and Authentication Flows->Authentication Options->Email respectively.
Use Directory Phones (default: ON) - If this option is turned on, LogonBox will use the phone number stored in the user directory, otherwise they will be prompted to enter a phone number (and validate this by sending an OTP) when they first log in to LogonBox.
Use Directory Email (default: ON) - If this option is turned on, LogonBox will use the email stored in the user directory, otherwise they will be prompted to enter an email address (and validate this by sending an OTP) when they first log in to LogonBox.
Click Apply to save any changes.
End User experience - Configuring profile
Now let's take a look at a user logging on to LogonBox with this configuration set.
A user logs in with their username and password onto My Account. This must be done at some point prior to needing to reset a password.
LogonBox detects they have not completed their profile and prompts the user to configure authentication.
At this stage, we have completed 0 out of the 2 required modules and we have a list of the 2 modules to choose from.
The user selects LogonBox Authenticator and clicks Next.
The user scans the QR code from the LogonBox Authenticator app.
The LogonBox server now sends an authentication request to the app.
Approve the authentication on the app, which completes this step.
As there is only one other module available, the user is then automatically prompts them to set up the Google Authenticator app
Scan the QR code from the Google Authenticator, tick the checkbox and click Next.
The server now sends prompts for the passcode, which the user needs to read from the app and type in to authenticate.
As the user has now chosen their 2 modules, they are now logged onto the system and at this point can now just log off again.
Performing a Password Reset with User Selective 2FA
Now this user has a configured profile, let's perform a password reset.
The user selects Reset Password from the main portal and enters their username.
The server will now prompt the user to select one of the 2 modules they had previously configured. Here in this example, the user selects Google Authenticator and clicks Next.
The user now enters their Google Authenticator passcode and clicks Next.
Authentication succeeds and the user is then prompted to reset their password: