What is two-factor authentication?
Turning on Two-Factor Authentication (2FA) for a service changes the security requirements, forcing you to provide at least two proofs of identity when accessing a secure service for the first time on an unknown device. Those two forms of authentication can come from any combination of at least two of the following elements:
- "Something you know," such as a password or PIN
- "Something you are," such as a fingerprint or other biometric ID
- "Something you have," such as a trusted smartphone or physical security key that can generate or receive confirmation codes
Why use two-factor authentication?
Two-Factor Authentication (2FA) is sometimes called multiple-factor authentication. In simple terms, it adds an extra layer of security to every online platform you access. The first layer is generally a combination of an e-mail (or username) and password. Adding one more step of authenticating your identity makes it considerably harder for an attacker to access your data. If your password is compromised, the attacker still cannot obtain access to your account.
This drastically reduces the chances of fraud, data loss, or identity theft.
How to use two-factor authentication in Re-Leased
Re-Leased supports both smartphone-based (TOTP) authenticators as well as industry best practice hardware/biometric-based physical authenticators.
Options for enabling or disabling 2FA methods can be accessed by going to your user profile, and clicking on the ‘Manage Two-Factor Authentication Methods’ button, under the ‘Enhanced Security’ section of the page.
Hint: You may have multiple 2FA methods enabled, and choose between them during sign-in if you wish. This can be handy for example to use something like a physical key when you are on your laptop, but an authenticator app instead when on a mobile device.
Smartphone based apps
Your smartphone can assist with authentication by providing a unique code that you use along with your password to sign in. To begin the setup process, click the ‘Setup a 2FA app’ option.
Follow the simple 3 step process shown on screen:
- First, choose a two-factor app for your smartphone. Some common ones we recommend include Authy, Microsoft Authenticator, and Google Authenticator.
- Next, once you have installed the app, use it to scan the barcode shown on screen.
- And lastly, enter the PIN that your new authenticator gives you as a result.
Click the ‘Confirm and Enable Two-Factor Authentication’ button to enable smartphone based 2FA.
Congratulations - you just levelled up your security! The next time you attempt to sign-in to Re-Leased, you will be asked to provide your PIN from the authenticator app as an additional piece of information.
Re-Leased supports physical security keys (or biometrics) when you sign-in to verify your identity. Any device which supports the WebAuthn standard is supported. This includes things such as YubiKeys, Fingerprint readers, Windows Hello, Touch ID and Face ID.
Depending on your equipment on hand, physical authenticators can often be more convenient to use than reaching for your smartphone.
Please note that Internet Explorer does not support the WebAuthn standard. If you are using Internet Explorer we recommend migrating to a more modern browser such as Chrome or Edge.
Getting set up is easy. Begin by clicking the ‘Enrol a new security key’ option.
- You will be prompted to insert your security key and activate it - at this point if you have a physical key, insert it. If you are using a device built into your computer then just activate it - e.g. touch your fingerprint scanner.
- The system will enrol the device, and then prompt you to give it a friendly title. This is optional but can be helpful if you have more than one device you would like to enrol.
Congratulations, you just levelled up your security! The next time you attempt to sign-in to Re-Leased, you will be asked to activate your security key as an additional piece of information.
Recommended Best Practises
- Administrators should enable required 2FA for all users
You can enforce that all your users of Re-Leased must enable a 2FA method in order to use the application. This option can be found in the Security section of your company settings page under ‘Settings -> Manage Companies. Toggle this setting on to force all users to set up 2FA the next time they sign-in. They will not be about to proceed without enabling at least one method.
- Assist other users with onboarding to 2FA apps or supply hardware devices such as Yubikeys.
Some people can find the concepts behind 2FA a little confusing. The best way to help your users to be security conscious is to empower them! Help them to understand the process and the reason behind why 2FA is such a good idea. Pointing them at this document is a great starting point.
In some cases, consider if using a physical security key can be a simpler concept for people to get them using 2FA.
Other Security Suggestions
- Enable single session mode
Single session mode is a user setting - this will prevent users from having multiple active sessions (e.g. accessing the application from more than one place).
- Use a password manager
This is not specific to Re-Leased but is a very good general security practice to ensure your password is hard to brute force crack/guess. We highly recommend the use of password managers such as 1Password or LastPass.