Deploy 2FA Configuration
Associated with: The System or Root Group
Security permission required to access this pick action: Security
This pick action is only available on a system (database) that is configured to use two-factor authentication (see Specify the Two-Factor Authentication (2FA) Account Description).
The settings that are configured for the Two-Factor Authentication (2FA) Account Description on the Root Group are only the 'proposed' two-factor authentication for that particular system. If the Enabled check box is selected on that section of the configuration form, the proposed two-factor configuration is deemed to be 'Active'; if the check box is clear, the proposed two-factor configuration is deemed to be 'inactive'.
The status of the current deployment depends on the configuration that has been deployed through the proposed configuration. Toggling the configuration check box affects only the proposed 2FA status; the update to the deployed 2FA status occurs only when the proposed configuration is actually deployed.
potential unintended deactivation or security breach
potential inability to access the system due to confusion over which authenticator account to use
To deploy 'proposed' two-factor configuration across the system, use the Deploy 2FA Configuration pick action. The changes take immediate effect without needing to restart the server.
Deployment of 'active' two-factor authentication configuration results in the following:
-
Users whose User Accounts are configured to use two-factor authentication will only be able to access the system once they are successfully enrolled for two-factor authentication. Thereafter, they will be required to provide two authentication factors each time they log on (the username and password of their User Account for the first factor, then a valid one-time password for the second factor). Additionally, they will only be able to use those User Accounts to access the system from clients that support two-factor authentication (see Considerations and Limitations (2FA)).
-
Any user that enrolls from this period onwards will do so using an authenticator account for which the description matches the Company Name and System Name of the deployed two-factor authentication configuration. The user's username will also appear alongside the authenticator account description on the authenticator app and on the One-Time Password Authentication window in Geo SCADA Expert. This helps to further identify which authenticator account the user needs to use to obtain a valid one-time password whenever they want to log on to the system. Users need a different authenticator account for each database for which they require access using two-factor authentication, so it is imperative that they know which authenticator account to use for which database. This includes any other implementations of the same database, such as offline test or training systems, that are configured for two-factor authentication (see Specify the Two-Factor Authentication (2FA) Account Description)
-
On a system on which two-factor authentication is already deployed, the newly deployed configuration changes will not result in changes to the text shown on existing authenticator accounts on authenticator apps. As such, there is now likely to be a mismatch between the text shown on those authenticator accounts and the text that now appears on the One-Time Password Authentication window in Geo SCADA Expert. Ensure that existing users are made aware of this discrepancy and that they remain aware as to which authenticator account they should continue to use whenever they want to log onto the system.
-
With a system on which two-factor authentication is being rolled out for the first time, those User Accounts that are configured to use two-factor authentication will go into an enrollment phase when the pick action is executed. Users will have to successfully complete that enrollment within the enrollment period before they can access the database. The same applies to any users whose User Accounts are changed to require two-factor authentication. A system administrator will have to re-enable the User Accounts of any users that do not successfully complete their enrollment before the enrollment period expires.
Deployment of 'inactive' two-factor authentication configuration results in the following:
-
Two-factor authentication will be disabled across the system.
-
Users whose User Accounts are configured to use two-factor authentication will no longer need to provide two authentication factors to access the system. Instead, they will only need to enter the username and password of a valid User Account (like they would if their User Account was not configured for two-factor authentication).
Further Information