Two-Factor Authentication
What is Runtime 2FA?
Two-factor authentication (or 2FA in short) is a way of adding an extra layer of security to your Runtime environment. Within the context of Runtime, this means using a mobile device in order to “validate” the identity of your users by making them generate an access code in addition to their usual password when trying to log into Runtime. This is a widely adopted system of electronic authentication that has slowly become the market standard for enterprise applications. The main benefit of this system is that it prevents bad actors from gaining access to user accounts in the case of a password leak. After all, in order to gain access to an account, you would also need access to that user’s phone to use their authentication app. This chapter of the documentation details how to install, maintain and modify two-factor authentication.
Supported authentication apps
2FA requires the user to have access to an authentication app on their phone. In general, as long as this is a modern authentication app that uses time-based one-time passwords, you can assume the app is supported. Some examples include:
Google Authenticator
Microsoft Authenticator
Authy
2FAS
One thing to note is that TOTP (time-based one-time passwords) are reliant on the system time of the server where Runtime is installed being equal to the system time on the 2FA device. If these two are not in-sync, then 2FA codes may be rejected by Runtime as being invalid.
Enabling 2FA
To enable 2FA, the user should navigate to their profile. This can be done by opening Runtime, and clicking on the username in the top-right corner of Runtime. After doing so, a drop-down menu should open in which the user can select 2FA Settings.
Once in the 2FA configuration screen, press Enable 2FA.
Once this has been done, the user is prompted to follow the following steps:
Scan a generated 2FA QA-code from within your authentication app, or alternatively input the included manual code to link your phone to your account,
Verify by entering your current password,
Perform an initial 2FA check and enter the generated 6-digit code to confirm that the configuration is correct.
Once all of these steps are completed, 2FA has been successfully enabled, and the user is given the following prompt:
At this point, 2FA is enabled. The user can now disable 2FA from this screen, or view the recovery code by pressing show recovery code. Then, the UI will display your personal recovery code. Once you´ve copied and stored your recovery code in a safe location, press I safely stored my recovery code. As long as you have access to your Runtime account, you can navigate back to the 2FA configuration screen to view this recovery code.
Make sure to properly store your recovery code!
In the event that you lose access to your phone, or are unable to use 2FA to log into Runtime, you will need your recovery code to remove 2FA. If you lose both access to 2FA and your recovery code your account cannot be restored.
Disabling 2FA
To disable 2FA, simply navigate to the 2FA settings menu, and press Disable 2FA. After this, the user must supply both their current password and a valid 2FA code in order to disable 2FA.
Alternatively, if access is lost to your 2FA device, 2FA can be disabled through Account Recovery which will be detailed later in this chapter.
Lastly, an administrator with the “Manage Users/LDAP“ permission can disable 2FA for any other user. This can be done by going into the User Management screen, and opening the details attached to any user on the Users page. Then, Disable 2FA can be selected.
Logging in with 2FA
To log into Runtime once 2FA is enabled, simply navigate to your Runtime web portal and supply your username & password. Once Runtime validates that your credentials are correct, you’ll be prompted to enter your 6-digit 2FA code, and press Verify. If you’ve lost access to your 2FA device, pressing No access to your authenticator app? will navigate the user to a recovery screen to disable 2FA by using your recovery code. This process is described in the following chapter.
Account Recovery
In order to recover your account after access to your 2FA device has been lost, simply attempt to log into Runtime using your username & password. Then, in the 2FA verification screen, press no access to your authenticator app? and input your recovery code. The user is then logged in after pressing Verify, and 2FA is disabled. In order to configure 2FA again, the user must follow the steps detailed in Enabling 2FA.