Enabling two-factor authentication with TOTP or MOTP.


Table of Contents

Configuring Two-Factor Authentication

Two-Factor authentication is highly recommended as a security precaution against unauthorized access to your account. Blesta supports both MOTP and TOTP. The following mobile applications are recommended for Android and iOS, respectively, and many others are supported as well.

For Android

  1. Android Token - http://code.google.com/p/androidtoken/
  2. Google Authenticator - https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en

For iOS (iPhone, iPad)

  1. OATH Token - http://itunes.apple.com/us/app/oath-token/id364017137?mt=8
  2. Google Authenticator - https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8

As of Blesta 3.1, a QR code may be scanned from Google Authenticator to set it up. If you are running an earlier version of Blesta, continue reading.

Using Google Authenticator with Blesta is pretty straight forward, but requires a little manipulation to get the key in the correct format. Blesta expects TOTP keys to be in hexadecimal format (base16), but Google Authenticator uses base32. So we have to convert our Google Authenticator keys into hexadecimal before storing in Blesta.

There are a number of online utilities to perform this operation. Here’s one:http://www.darkfader.net/toolbox/convert/.

As an example, “PEHMPSDNLXIOG65U” (in base32) becomes “790ec7c86d5dd0e37bb4″ in hexadecimal. Simply select Time-based One Time Password as the two factor authentication method in Blesta then enter the converted (hexdecimal) value and you’re good to go.

For YubiKey

  1. For instructions on setting up your YubiKey to generate TOTP tokens visit https://support.yubico.com/support/solutions/articles/15000006419-using-your-yubikey-with-authenticator-codes
  2. If you follow the instructions provided by yubico you will need to convert your Google secret key from base32 into hexadecimal (base16) format before adding it to Blesta. Instructions on doing that are provided in the note above.

To set up Two-Factor Authentication, visit the "My Info" link at the top of any staff page.

If you have access to add additional Staff, you can set up Two-Factor Authentication at account creation under [Settings] > [System Settings] > Staff.

For Yubico Key App

Yubico now has an easy to use application which works with the NFC keys, we use the YubiKey 5 NFC, the Security key doesn't work with their TOTP App.

  1. Download their app from: https://www.yubico.com/products/yubico-authenticator/

2. Load up the application and plug in your key, then click on Add (plus) button at the top right.

3. Go to the "My Info" part of Blesta Administrator and select "Time-based HMAC One Time Password" under Two Factor Authorisation then hit Scan.

4. Enter your "Issuer" we recommend the url to your Blesta or something like Blesta Admin, and the "Account name" has to be your account username to the Admin panel. We recommend you require touch to unlock the passcode and also click Add to add the account to your Yubico key.

Help! I've lost the token to my Staff account. How can I disable Two-Factor Authentication?

If you are locked out of Blesta because you lost your 2FA token, you must disable Two-Factor mode in the database for your user. To do so, you must make a change manually to the database using a utility like phpMyAdmin. Find your user in the "users" table, and update users.two_factor_mode to none, and save. You will now be able to login with just your username and password. Once you have logged in, you can set up 2FA again under My Info.