Enabling two-factor authentication with TOTP or MOTP. |
Table of Contents |
---|
Two-Factor authentication is highly recommended as a security precaution against unauthorized access to your account. Blesta supports both MOTP and TOTP. The following mobile applications are recommended for Android and iOS, respectively, and many others are supported as well.
As of Blesta 3.1, a QR code may be scanned from Google Authenticator to set it up. If you are running an earlier version of Blesta, continue reading. Using Google Authenticator with Blesta is pretty straight forward, but requires a little manipulation to get the key in the correct format. Blesta expects TOTP keys to be in hexadecimal format (base16), but Google Authenticator uses base32. So we have to convert our Google Authenticator keys into hexadecimal before storing in Blesta. There are a number of online utilities to perform this operation. Here’s one:http://www.darkfader.net/toolbox/convert/. As an example, “PEHMPSDNLXIOG65U” (in base32) becomes “790ec7c86d5dd0e37bb4″ in hexadecimal. Simply select Time-based One Time Password as the two factor authentication method in Blesta then enter the converted (hexdecimal) value and you’re good to go. |
To set up Two-Factor Authentication, visit the "My Info" link at the top of any staff page.
If you have access to add additional Staff, you can set up Two-Factor Authentication at account creation under [Settings] > [System Settings] > Staff.
Yubico now has an easy to use application which works with the NFC keys, we use the YubiKey 5 NFC, the Security key doesn't work with their TOTP App.
2. Load up the application and plug in your key, then click on Add button at the top right.
3. Go to the "My Info" part of Blesta Administrator and select "Time-based HMAC One Time Password" under Two Factor Authorisation then hit Scan.
4. Enter your "Issuer" we recommend the url to your Blesta or something like Blesta Admin, and the "Account name" has to be your account username to the Admin panel. We recommend you require touch to unlock the passcode and also click Add to add the account to your Yubico key.
If you are locked out of Blesta because you lost your 2FA token, you must disable Two-Factor mode in the database for your user. To do so, you must make a change manually to the database using a utility like phpMyAdmin. Find your user in the "users" table, and update users.two_factor_mode to none, and save. You will now be able to login with just your username and password. Once you have logged in, you can set up 2FA again under My Info.