Use Two-Factor Authentication with Geo SCADA Expert

With Geo SCADA Expert 2023 onwards, you can further strengthen the security of user access to Geo SCADA Expert by requiring users to provide two factors of authentication before they are permitted to access the database. Geo SCADA Expert 2023 supports time-based one-time password (TOTP) authentication. With this implementation, Geo SCADA Expert generates a one-time password every 30 seconds. Whenever a user wants to log onto the database, for the first factor of authentication, they enter the username and password of their User Account. Once these have been authenticated, for the second factor of authentication, they then have to enter the currently valid one-time password. Only once this has also been authenticated will they be logged on to the system. This implementation requires users to use a third-party authenticator app to access the one-time password (OTP) that they need to enter alongside the other logon credentials whenever they log on to Geo SCADA Expert.

A separate authenticator account is required for each implementation of a Geo SCADA Expert database; as such, users are likely to have a number of authenticator accounts on the authenticator app and will need to know which one to use for each database implementation. Even if your deployed Geo SCADA Expert system only comprises a single database, if you have other implementations of that database configured for two-factor authentication (such as a test system), each one will require a different authenticator account. Care should be taken when determining the naming convention to use for the authenticator accounts in Geo SCADA Expert, to help users identify which authenticator account to use for which database implementation. Be aware that any later configuration changes in Geo SCADA Expert will have no effect on the names of existing authenticator accounts on the authenticator apps, so care should be taken to ensure that users remain aware of which authenticator accounts they are required to use for which database implementations.

With this implementation of two-factor authentication, a system administrator can enable two-factor authentication across a Geo SCADA Expert system and then enable its use against specific users of that system.

If required, a system administrator can temporarily disable the second factor authentication in the system. When disabled, users that have the two-factor authentication requirement enabled on their User Account will be able to log on without the system requesting their OTP. Un-enrolled users will not be required to enroll. Disabling of the second factor authentication could impact users with outstanding enrollment periods, which might expire before a system administrator re-enables 2FA and allows enrollment. If this occurs, the system administrator will have to reset the enrollment process for those User Accounts (see Reset 2FA Enrollment).

On a system on which two-factor authentication is enabled, when a user has the two-factor authentication requirement enabled on their User Account by a system administrator:

  1. Their User Account goes into an enrollment state, which triggers their next logon to the system to be their enrollment. Access to the system is denied until they have successfully completed the enrollment process. This can only be completed on a ViewX client or a Virtual ViewX client that supports enrollment. The enrollment requires that user to scan a QR code to set up an authenticator app account on a suitable device, such as a smartphone.

  2. Once enrolled, the user has to use that authenticator account to provide a new one-time password to authenticate their logon each time that they want to access the system.

System administrators can:

  • Restrict the enrollment period within which users are required to complete their enrollment.

  • Monitor the use of two-factor authentication on the User Accounts.

  • Reset two-factor authentication of particular users (for example, in the event of a lost smartphone).

  • Provide the option to allow users to re-enroll their own two-factor authentication, to minimize the administrator's workload relating to users changing their smartphone.

The system configuration for this feature is on the Root Group. The two-factor authentication settings that a system administrator configures here are the 'proposed' configuration, which then needs to be explicitly deployed across the system. This differs to other configuration in Geo SCADA Expert and is intended to help protect the system from inadvertent reconfiguration.

You should not use User Accounts that are configured for two-factor authentication in cases where those User Accounts are intended for interface application users, such as for ODBC, SOAP (via the Web Server), or API access (see Define whether a User can Access the System via ViewX, Virtual ViewX, Original WebX, or PIN via Application Code). This includes User Accounts intended to provide access from the Bulk Edit tool.

 

To set up two-factor authentication in Geo SCADA Expert:

  1. All Geo SCADA Expert servers have to be running Geo SCADA Expert 2023 or later software. (Users whose User Accounts are configured to use two-factor authentication cannot access the system from any clients or servers that are running, or emulating, an earlier version of Geo SCADA Expert software.)

  2. Use the Geo SCADA Expert Server Configuration tool to define validity period of the logon tokens that are used for the two-factor authentication (2FA) (see Define the Validity Period of 2FA Logon Tokens).

  3. On the Main server of the Geo SCADA Expert system on which you want to set up two-factor authentication, configure the required properties on the Root Group tab of the System or Root Group (see Configure the Properties of the Root or System Group). There are two sections of two-factor authentication properties on the tab:

    • The Two-Factor Authentication (2FA) Account Description properties (see Specify the Two-Factor Authentication (2FA) Account Description). Use these properties to define the Company Name and System Name. Together with the username of the User Account, the properties identify the authenticator account that users are to use to obtain the one-time password that they have to enter to gain access to the Geo SCADA Expert database. Take care when determining the naming convention that you intend using to specify these properties. The Company Name and System Name combination have to be unique per implementation of each Geo SCADA Expert database. For more information about this, see the examples in Specify the Two-Factor Authentication (2FA) Account Description, and see Considerations and Limitations (2FA).

      (The 'Enabled' check box in this section of the Root Group tab is address in step 3 below.)

    • The Two-Factor Authentication (2FA) Enrollment Configuration (see Specify the Two-Factor Authentication (2FA) Enrollment Properties). Use these properties to define the user enrollment and re-enrollment expiry periods, and to specify whether users can trigger their own re-enrollment when required. Unlike the Two-Factor Authentication (2FA) Account Description section of properties, the configuration in this Two-Factor Authentication (2FA) Enrollment Configuration section takes effect straight away, without the need to 'deploy' those changes.

  4. Once your system is ready to activate the requirement for users to use two-factor authentication for logging on, select the Enabled check box in the Two-Factor Authentication (2FA) Account Description section of the Root Group tab on the form of the Root Group (see Specify the Two-Factor Authentication (2FA) Account Description). This will activate, but not deploy, two-factor authentication on the system. You can ascertain this state by viewing the Status display of the Root Group (see View a Status Display). The Status display includes these two-factor authentication status attributes:

    • Currently Deployed Two-Factor Authentication Status—This status attribute has the value 'Disabled' when the above-mentioned check box is clear on the Root Group.

    • Proposed Two-Factor Authentication—This status attribute is only displayed when the above-mentioned check box is, or has ever been, selected on the Root Group. It shows the proposed configuration for two-factor authentication on the system. The status attribute's value is appended with the text '(ACTIVE)' on a system on which the above-mentioned check box is selected, or '(Not Active)' if the check box is clear. On a system on which two-factor authentication is already in use, the status attribute enables you to view the proposed changes to that system's existing two-factor authentication configuration. You can then deploy those changes when it is suitable to do so (or make further changes if required, before deploying those further changes).

  5. To actually deploy the two-factor authentication configuration across the system, select the 'Deploy 2FA Configuration' pick action on the Root Group. A confirmation dialog box will be displayed - select 'Yes' to confirm the deployment.

    A message is logged in the Events List indicating the time that the two-factor authentication became deployed across the system. The message summarizes the two-factor configuration that is deployed. (Two -factor authentication deploys without the need to restart the server.)

    When you view the Status display of the Root Group, the Currently Deployed Two-Factor Authentication Status attribute now shows the two-factor authentication configuration that is deployed. The value of the status attribute is appended with the text '(ACTIVE)' to indicate that this is the two-factor configuration that is currently in force.

  6. On the User Accounts of each user who is required to use two-factor authentication, select the Two-Factor Authentication Required check box. This check box is towards the top of the General tab on each User Form (see Define Whether the User has to use Two-Factor Authentication). On an existing system that is being upgraded and set up to use two-factor authentication thereafter, you might want to consider writing a script to set this check box on all of the relevant User Forms simultaneously.

    Users of User Accounts that are configured for two-factor authentication will be required to enroll for, and log in to Geo SCADA Expert, using two-factor authentication.

    (If need be, some User Accounts can be left so that they do not need to use two-factor authentication to log on to the system, even if the system itself is configured to support two-factor authentication. For example, any User Accounts that are required to access clients that do not support two-factor authentication on the system. With such User Accounts, you leave the Two-Factor Authentication Required check box clear. Those users are not required to enroll for, or use, two-factor authentication to access the system. For more information, see Considerations and Limitations (2FA).)

  7. Repeat this procedure on any other Geo SCADA Expert systems on which you want to set up two-factor authentication.

 

Once two-factor authentication is set up and deployed on a Geo SCADA Expert system, to access that system, users of User Accounts that are configured for two-factor authentication have to:

  1. Enroll with an authenticator app on a suitable device, such as a smartphone. (This is a one-off activity per user.)
    We recommend using an authenticator app that can be locked so that it requires a PIN or biometric to open it, to help prevent unauthorized access. For example, Microsoft Authenticator.

  2. Enroll for TOTP two-factor authentication in Geo SCADA Expert (see Enroll for Two-Factor Authentication). This has to be performed on a ViewX client or a Virtual ViewX client that is running Geo SCADA Expert 2023 or later software. To trigger this enrollment process in Geo SCADA Expert, they must attempt to log on to the client as usual, by entering the User Name and Password of their valid User Account.

  3. Once enrollment is complete, if applicable, log off and then repeat the procedure on any other Geo SCADA Expert databases to which that User Account and ViewX or Virtual ViewX client provides access. (They will require a separate authenticator account for each database.)

    The same applies if they require two-factor authentication access for any other implementations of any of those databases (such as an offline test setup). Each separate implementation of a database on which two-factor authentication is deployed will require a separate authenticator account.

Entries are added to the Events List to provide feedback relating to a user's enrollment process.

Additionally, the Status displays of User Accounts that are configured to use two-factor authentication include a combination of status attributes that relate to that two-factor authentication. For more information, see Status Attributes Associated with User Accounts

To ascertain the two-factor authentication status of multiple users, you can use the Users List. This is a Queries List that you can access from the Queries Bar (see Display a Queries List from the Queries Bar). You can filter the List so that it includes just the relevant users; for example, User Accounts on which the 'Two-Factor Authentication Required' property is False, or on which 'TOTP Enrolled' is False. For more information, see Filter a List in the Geo SCADA Expert Guide to Lists, and see Users List Headings.

 

Once users have enrolled successfully for two-factor authentication, whenever they want to gain access to a Geo SCADA Expert system those users have to:

  1. Display the Log On window in Geo SCADA Expert.

  2. Enter their valid User Name and Password.
    Once these have been authenticated, a One-Time Password Authentication window is displayed.

  3. Use the relevant authenticator account on their authenticator app to obtain the currently valid one-time password.

  4. Enter that one-time password into the relevant field on the dialog box that is displayed in Geo SCADA Expert.
    Once the one-time password has been authenticated, the user is logged on to the system.

Such users can only access the system from a client that supports two-factor authentication (see Considerations and Limitations (2FA)).