@@ -8,7 +8,7 @@ or if users are spread over multiple places.
88
99## Configuration <a id =" authentication-configuration " ></a >
1010
11- Navigate into ** Configuration > Application > Authentication ** .
11+ Navigate into ** Configuration > Application > Access Control Backends ** .
1212
1313Authentication methods are configured in the ` /etc/icingaweb2/authentication.ini ` file.
1414
@@ -291,3 +291,48 @@ asks that backend to authenticate the user with the sAMAccountName "jdoe".
291291When the user "jdoe@icinga.com " logs in, Icinga Web 2 walks through all configured authentication backends until it
292292finds one which is responsible for that user -- e.g. a MariaDB or MySQL backend (SQL database backends aren't domain-aware). Then
293293Icinga Web 2 asks that backend to authenticate the user with the username "jdoe@icinga.com ".
294+
295+ ## Two-Factor Authentication <a id =" two-factor-authentication " ></a >
296+
297+ You can secure your user accounts by two-factor authentication (2FA) using time-based one-time passwords (TOTP). If you
298+ set up an authenticator app it will generate a 6 digit one-time token every 30 seconds based on the shared secret and
299+ the current time.
300+
301+ ### Enabling 2FA <a id =" two-factor-authentication-enabling " ></a >
302+
303+ Enable 2FA in your account settings. Scan the QR code with your authenticator app or enter the secret manually. Make
304+ sure to store the QR code or secret on a different device on which the authenticator app is installed. If you lose
305+ access to the authenticator you can set up a new one without an administrator disabling the old one via the CLI. Then
306+ enter the token from your authenticator app to verify that it has the correct secret.
307+
308+ If you log in now with username and password, you will be prompted to "enter your 2FA token". This is the token
309+ generated by the authenticator app. If the token is valid, you will be logged in and redirected.
310+
311+ ### Disabling 2FA <a id =" two-factor-authentication-disabling " ></a >
312+
313+ Disable 2FA by simply clicking the "Disable 2FA" button in your account settings. This will remove the stored secret
314+ completely.
315+
316+ ### Replacing 2FA <a id =" two-factor-authentication " ></a >
317+
318+ If you need to replace your 2FA, e.g. because your secret has been compromised, simply disable it and reenable it in
319+ your account settings. You will need to verify the new secret. Don't forget to store the QR code or the secret for
320+ recovery.
321+
322+ ### CLI Commands <a id =" two-factor-authentication-cli " ></a >
323+
324+ The following CLI commands are available:
325+
326+ ``` bash
327+ icingacli twofactor list
328+ ```
329+
330+ List all users with 2FA enabled and when they enabled it.
331+
332+ ``` bash
333+ icingacli twofactor disable [< user> ]
334+ ```
335+
336+ Disable 2FA for a specific user. Do this if a user has lost access to the device on which the authenticator app is
337+ installed and hasn't saved the secret to a different device. Make sure to disable it for the correct user, as the
338+ currently stored secret will be removed completely.
0 commit comments