What is Two Factor Authentication (2FA)?
2FA stands for Two-Factor Authentication which is a special case of Multi-Factor Authentication. MFA is a security technique that uses more than one step to authenticate a user. For example, it can use something that the user knows (usually a password), something that the user has (a physical key, credit card, USB token, smartphone) and/or something that the user is (fingerprint, voice recognition, retina scan). We already use the first way (or factor) of authentication – you have to know your password to get access to your Kanbanize account. However, passwords alone do not provide the best security since there are various ways in which they can be stolen. So, if you are one of our customers who are concerned about the safety of their data, worry no more – we’ve got you covered! With the release of Kanbanize version 4.15 we are introducing the option to add a second factor to the login process. This second factor will be the user’s smartphone.
This feature is currently only available with a subscription for a Kanbanize Organizations Plan.
Here’s how it works:
How to Set it Up?
1. The administrator of the account can turn on 2FA for each user (or all at once) from the Administration Panel:
2. Once 2FA has been enabled for a user the next time he or she tries to log in a 2FA setup screen will appear:
3. By following the instructions and scanning the QR, the user saves their personal 2FA secret key in our mobile app.
If you haven’t downloaded the Kanbanize app on your Android or iOS device, you’ll need it for setting up and using 2FA so head on to our Integrations page or directly to the Google Play Store or App Store to get it.
Set up complete!
How to Use it?
1. The user tries to login from the web. After entering their username and password a second screen appears asking for a One-time Password:
2. The user opens the Kanbanize app on their phone and goes to Menu > One-time Password:
3. Enters the current One-time Password in the web form:
It’s important to note that the set up screen appears only the first time after 2FA has been enabled. Once setup is complete, you won’t be able to see your secret key again. So, if you want to use 2FA on more than one device, you should save your secret key on all of them before completing the setup. If at a later point you need to re-setup your 2FA you should ask your Kanbanize administrator to reset your 2FA key:
1. Open the Administration panel and click the button to edit a user:
2. Click “Reset 2FA key” (Note: this button will appear only if the user has already completed setup of a 2FA key):
Now, what if you don’t have an iOS or Android device!? Don’t worry – we have a solution for you, too! Our implementation of 2FA is completely compatible with Google Authenticator and the numerous third-party compatible implementations that cover Blackberry, Windows Phone and lots of other operating systems.
If after entering your 2FA key the OTPs that the app generates are invalid here are some things to check:
If you entered the key manually one obvious thing to try is entering it again to rule out typos (scanning the QR code saves you this trouble).
We already mentioned that in the setup screen but make sure your phone’s time is correct.
Ask your Kanbanize administrator to reset your 2FA key.
If nothing of the above helps or you have another problem, contact our support and we’ll help you solve the issue.
Also, one technical thing worth noting: once 2FA is enabled for a particular user it will affect not only the web login process but also our REST API. Generally you use the API in two ways:
Through our mobile apps
Through a custom third-party app
As far as our apps are concerned you don’t have to worry about anything – once you set up 2FA on your device, the app will do what’s needed behind the scenes and you will continue using it as before. However, a problem may arise if you use our app on more than one device. In this case you have to setup your secret key on all of them.
Using the API with 2FA through a custom third-party app will be a little more challenging! For every request (except for Login) you will have to supply an http header named “otp” with the current valid One-time password. Use Google Authenticator’s time-based algorithm to generate OTPs. Before that you will have to save your personal 2FA secret key in a secure place. Currently Google Authenticator’s source code is proprietary but it was open-source until version 2.21 so you can use it as a reference here.