Two-factor authentication (2FA)

With the standard authentication setup with 10Duke Enterprise, two-factor authentication (2FA) works out of the box, and no implementation work is needed.

Users can activate 2FA for themselves on the login page, and they need a device or an application (such as Google Authenticator) that can generate time-based one-time passwords (TOTP).

Enforce 2FA on users

2FA can be enforced globally on all users, which means a user is prompted to activate 2FA before they can log in.

By default, 2FA is not enforced. If you want 2FA enforced in your deployment, contact the 10Duke Integration Support team. The change affects both end users and the administrator users of the 10Duke SysAdmin and OrgAdmin tools.

If a user has activated 2FA for themselves, you can deactivate it for them if needed. However, if 2FA is enforced, the user is prompted to reactivate it the next time they try to log in. You can deactivate 2FA for a user either in SysAdmin or by deleting the user’s OTP credentials through the 10Duke Identity Management REST API.

Disable 2FA

If needed, 2FA can be disabled in your deployment. Contact the 10Duke Integration Support team.

Custom implementations

If you’re authenticating users through the Authentication API but you have implemented your own login page on top of it, you need to implement a feature on the login page for users to activate 2FA for themselves. You can enforce 2FA on users in the same way as with the standard setup.

If your software application is handling authentication directly with an external identity provider, 2FA/MFA must be implemented at the external identity provider’s end.

For any support in implementing 2FA, contact the 10Duke Integration Support team.