Protect your Safetica Management Console and WebSafetica accounts against password theft, social engineering, or brute force attacks
Information in this article applies to Safetica ONE 10 or older.
Multi-factor authentication adds another factor to password protection and, therefore, improves the security of logging in against password theft, social engineering, or brute force attacks.
To protect Safetica Management Console and WebSafetica logins, we decided to use the enterprise-grade multi-factor authentication proxy called DUO. DUO provides various forms of multifactor authentication, and we opted to use push notifications.
In this article, you will learn about:
- The prerequisites necessary for multi-factor authentication to work
- How to set up the DUO Authentication Proxy
- How to enroll users into DUO
- How to enable multi-factor authentication in Safetica Management Console
- How to disable multi-factor authentication
- How will users log in when multi-factor authentication is active
The prerequisites necessary for multi-factor authentication to work
- The DUO Authentication Proxy must be set up in your environment.
- Your company must use Active Directory, since the DUO multi-factor authentication only works for accounts imported from an AD security group. Non-AD users will not be able to use multi-factor authentication.
- Users must be enrolled in DUO and have the DUO app installed on their mobile devices.
How to set up the DUO Authentication Proxy
DUO is deployed into your environment separately and independently of Safetica.
Info about how to deploy the DUO Authentication Proxy into your company environment can be found here. To prepare your environment, you need to sign up for DUO (there is a free tier available) and set up the DUO Authentication Proxy with LDAP Auto integration. In the [ldap_server_auto] section, please use the factors=push option. The proxy will then run between Safetica and your Active Directory and will add a second factor into your authentication process.
How to enroll users into DUO
DUO has an administrative interface where you can add users either manually or sync them with your Active Directory. You enroll every user via their phone number.
The users must have the DUO app installed on their phones. During authentication, they will receive a push notification and must confirm it.
How to enable multi-factor authentication in Safetica Management Console
- Open Safetica Management Console and go to Profile > Server settings.
- In the Authentication proxy section, fill in the server address and port of your DUO authentication proxy. Click the Test connection button to verify connectivity.
- With the Use encrypted connection slider, choose whether to connect to DUO via SSL or in plain.
- In the Multi-factor authentication option, choose whether to enable it for both Safetica Management Console and WebSafetica, or only for WebSafetica.
- Click Finish.
How to disable multi-factor authentication
- Open Safetica Management Console and go to Profile > Server settings > Authentication proxy
- In the Multi-factor authentication option, choose Do not use MFA.
- Click Finish.
- The users will then again authenticate against Active Directory only, and multifactor authentication will not be used.
How will users log in when multi-factor authentication is active
- The user enters their password into Safetica Management Console or WebSafetica and clicks OK / Log in.
- Then they receive a push notification into the DUO app on their mobile device.
- They confirm the push notification.
- The user will be logged into Safetica Management Console or WebSafetica.