Manage two-factor authentication (2FA)

Enable two-factor authentication

Two-factor authentication is controlled via the Two-factor authentication required setting.

This right can be set for:

• the entire company (company standard)

• User groups

• individual users

This right may only be granted or revoked by administrators (superusers). Further information on user rights management.

Best Practice

• Enable 2FA at least at the group or company level.

• Please inform users in advance about the change.

• Please recommend popular authentication apps (e.g. Microsoft Authenticator, Google Authenticator).

• Make sure that users know who to contact if they encounter any problems.

• Important: Designate at least two Administrators.

  This is the only way to ensure that the authenticator app can be set up again in an emergency (e.g., if you switch devices or lose your device).

Setting up two-factor authentication

Behaviour following activation

If the option is enabled:

• Users will be prompted the next time they log in to set up two-factor authentication via an authenticator app.

• Requirement: Two-factor authentication has not yet been set up.

Information on user setup

Requirements for user setup

You will need the following for the setup:

• a smartphone or another suitable device

• an authenticator app, e.g.:

  • Microsoft Authenticator

  • Google Authenticator

  • FreeOTP

Important information for administrators

• The second factor is set up once per user.

• Users should be advised:

  • to keep your smartphone safe

  • to contact the administrator if the device is lost

Duration of the session

• The frequency of logins depends on the session duration.

• This may vary depending on the application (e.g. SPEDIONline or the SPEDION Portal App).

• Once the session has expired, you will need to log in again using 2FA.

Reset the Authenticator app

When is a reset necessary?

A reset is required if a user:

• no longer has access to their Authenticator app (e.g. new smartphone, app deleted, etc.)

Procedure for administrators

Protection against attacks

Before you reset an Authenticator app at a user’s request, make sure that the request really does come from that user!

1. Open Administration → Users.

2. Click on Edit in the row for the relevant user.

3. Click on the Two-factor authentication tab.

4. Click on Reset Authenticator App.
   

5. Confirm by clicking Delete.

Behaviour after a reset

• The second factor will be removed from the account.

• The user must set up a new Authenticator app the next time they log in.

• The user is not automatically logged out.

Guidelines for users

If a user cannot access their Authenticator app, they must contact their company’s administrator.

The user cannot reset it themselves.

Status of two-factor authentication

In the Administration, the status is displayed for each user:

• Inactive
  → Two-factor authentication is not enabled for this user.

• Pending
  → Two-factor authentication is required but has not yet been set up by the user. The user will be prompted to do so the next time they log in.

• Active
  → Two-factor authentication has been set up and is active.

Disabling 2FA

If the requirement for two-factor authentication has been removed for a user:

• Two-factor authentication is no longer required when logging in.

• The user is no longer prompted to enter a security code.

Note

• The Authenticator app that has already been set up will not be deleted.

• The 2FA configuration remains stored in the background.