You cannot use TOTP two-factor authentication in Geo SCADA Expert in conjunction with single sign-on (SSO) AVEVA Identity Management.

ViewX, Virtual ViewX, the Server Configuration Tool, the Server Status Tool, and the Server icon all support two-factor authentication (when running Geo SCADA Expert 2023 onwards). However, users whose User Accounts are configured for two-factor authentication can only enroll or re-enroll when they are logging on from a ViewX client or a Virtual ViewX client.

Once your User Account is configured to use two-factor authentication, you have to be successfully enrolled (or re-enrolled) for two-factor authentication from a ViewX client or a Virtual ViewX client before you can:

• Log on to the Server Configuration Tool

• Log on to the Server Status Tool

• Use actions on the Server icon that require user credentials entering in order to execute those pick actions.

This is in addition to any other restrictions that apply to such User Accounts to restrict access to any of the above (such as requiring the System Admin security permission in Geo SCADA Expert).

In order for a client to provide access to the database for User Accounts that are configured to use two-factor authentication, that client has to be running Geo SCADA Expert 2023 or later software. (Users whose User Accounts are configured to use two-factor authentication cannot access the system from any clients or servers that are running, or emulating, an earlier version of Geo SCADA Expert software.) Currently, of the clients that are supported, ViewX clients, Virtual ViewX clients, the Server Configuration Tool, Server Status Tool, and Server Icon provide the capability to log on using two-factor authentication.

If your system is configured to use two-factor authentication and includes other clients, or client applications that provide access to the database, ensure that other appropriate User Accounts exist for those clients. As with all User Accounts, those User Accounts should be configured to provide the minimum access that is required via those clients. Additionally, on the General tab of the configuration Forms of those User Accounts, the Two-Factor Authentication Required check box has to be clear.

The Company Name and System Name properties on the Root Group, together with the username of the User Account, determine the text that appears on the One-Time Password Authentication window when users log on to Geo SCADA Expert. If you ever change those properties on the Root Group and then deploy those changes across the system, ensure that all existing users are made aware of those changes. This is particularly important for users that have access to multiple databases. It is imperative that they remain aware of which authenticator account they need to use to log on to each system.

Deployed changes to those particular properties on the Root Group have no impact on the text that identifies existing authenticator accounts on the users' authenticator apps. Existing users should be made aware that the account descriptions are now likely to differ between their authenticator app and the One-Time Password Authentication window in Geo SCADA Expert.

Users that enroll, or re-enroll, following the configuration changes are not affected, as the descriptions of the new authenticator accounts that they create will match those of the properties on the Root Group.

For more information, see the examples in Specify the Two-Factor Authentication (2FA) Account Description.

If you make changes to your database by importing a Geo SCADA Expert Server export file (.sde) that contains the whole database, including the System or Root Group, that will include Root Group configuration. The import will not change the deployed two-factor authentication configuration, but it might have resulted in changes to the 'proposed' configuration. This comprises the two-factor authentication configuration on the Root Group. Following the import, you should view that configuration and/or the Status display of the Root Group to determine whether the 'proposed' two-factor authentication configuration has changed.

If the configuration has changed and you want those changes to become the deployed two-factor configuration, then you will need to deploy those changes across the system. Any imported Root Group configuration changes that relate to two-factor authentication are only 'proposed' two-factor authentication changes until you deploy them using the Deploy 2FA Configuration pick action on that Root Group. This is by design, to help protect the system from unintended reconfiguration of two-factor authentication settings following a database import.

If the configuration has changed on the Root Group, but those particular changes are not required, then you should immediately change the two-factor configuration on the Root Group back so that it matches that of the active deployed configuration. This is important, to ensure that the unwanted configuration changes that occurred due to the database import do not inadvertently get deployed across the system.

If all of the clients in your system support two-factor authentication, you might opt to configure all of your User Accounts to use two-factor authentication to log on to Geo SCADA Expert. In the unlikely event that the authenticator fails, or that administrative-level users are unable to enroll successfully, users of those User Accounts will be unable to access the system. To regain access to the database, use the Super User account to create a suitably configured User Account on which the Two-Factor Authentication Required check box is clear. If, as recommended, the Super User account is disabled on your system, you can re-enable it while you set up that User Account. (Remember to disable the Super User account once it is no longer required.) For more information, see Configure the Super User Account.

You might opt to temporarily clear the Two-Factor Authentication Required check box on an existing User Account (rather than create a new User Account). If you do this, one two-factor authentication is available again, reselect that check box on the User Form to reinstate the requirement for the user to log on using two-factor authentication. The user should be able to use their existing authenticator account to gain access to Geo SCADA Expert.

If two-factor authentication is likely to be unavailable for some time, you might want to consider disabling two-factor authentication across the system. This will enable users of valid Geo SCADA Expert User Accounts to log on without requiring the second authentication factor (the one-time password). To disable two-factor authentication across the system:

1. On the server that is running as Main, clear the Enabled check box within the Two-Factor Authentication (2FA) Account Description section of the Root Group (see Specify the Two-Factor Authentication (2FA) Account Description).

2. Deploy the disablement using the Deploy 2FA Configuration pick action.
   The deployed changes reconfigure the two-factor authentication settings on all of the servers in the system. Users of valid Geo SCADA Expert User Accounts are able to log on without needing to provide the second authentication factor from their authenticator app.

Once two-factor authentication is available, reinstate the requirement for users whose User Accounts are configured for two-factor authentication to log on using two-factors of authentication. To do this:

1. On the server that is running as Main, ensure that the correct values are specified in the Company Name and System Name fields in the Two-Factor Authentication (2FA) Account Description section of the Root Group. This is important, as any changes to these values could confuse existing users (see the separate section earlier in this topic).

2. Select the Enabled check box in the above section of the Root Group.

3. Deploy the re-enablement using the Deploy 2FA Configuration pick action.
   The deployed changes reconfigure the two-factor authentication settings on all of the servers in the system. Users of User Accounts on which the Two-Factor Authentication Required check box is selected will need to provide two-factors of authentication when they next log on to Geo SCADA Expert. With users that are already enrolled, their current enrollment will resume. As such, they can use their existing authenticator accounts to provide the second authentication factor.