Multi-Factor Authentication (MFA)
Passportal supports multiple forms of MFA for users accessing the system.
Passportal supports the following methods:
- Authenticator (iOS and Android) – This can be any authenticator that creates TOTP’s, such as Google Authenticator, Microsoft Authenticator, Authy, etc.
- Timed One-Time Passcode (TOTP) generators such as Duo Mobile, Google Authenticator, or Microsoft Authenticator
MFA is enforced globally for Passportal - Each Site has its own ability to enable MFA, and configure their own individual preferences.
To configure MFA within Passportal:
- Navigate to Settings > General
- Select the Multi-Factor Authentication tab
- Select the MFA Communication Method from the drop-down menu
- Enable the Allow Backup Utility (CLI) to bypass MFA option to allow commandline password export bypassing MFA using the Passportal Backup Utility
- Click Save when all settings are set as required
The Enable MFA toggle is set on and cannot be altered.
Click each heading below to expand each for further information on MFA Communication Method:
If you already have an MSP account with Duo Security you can set up Passportal as an application and utilize Duo Push and the Duo Browser Based Authentication Prompt.
To Use Your Existing Duo Security (Integration)
Please ensure you follow these steps carefully as you cannot undo this action
- Enable the Use your Existing Duo Integration toggle.
- The Duo API Information fields are now displayed, along with the below directions and links in relation to Duo's API support documentation.
- If you are not using an email address as the username, ensure that the email address is imported as an Alias for each user using the Duo Admin API. For more information, please see Duo's documentation: Duo Username Aliases Configuration Guide.
- Create two applications for Passportal in Duo, one as a WebSDK and the second as an Auth API.For more information, please see Duo's documentation: Protecting Applications.
- Ensure that you have Username Normalization set to Simple in both your Auth API and WebSDK Applications in Duo. For more information, please see Duo's documentation: Protecting Applications - Username Normalization.
- Enter the API information from the newly created applications in the appropriate fields.
- When finished, select Save.
As per step 3 in the Cisco Duo instructions: Applications with Universal Prompt support rename the Integration key and Secret key to better align with the OAuth 2.0 specification. These values are now known as the "Client ID" or
client_id and the "Client secret" or
client_secret. The actual values for these properties remain the same (so when you update an application from the traditional Duo prompt there's no need to enter new application information).
The integration key/Client ID and secret key/Client secret uniquely identify a specific application to Duo. The API hostname is unique to your account, but shared by all your applications. You'll need all these values when configuring your system to work with Duo.
To use a TOTP Authenticator:
- Select TOTP Authentication from the drop-down and select Save.
- Users will be prompted at the next login to scan a QR code to set up the TOTP Authenticator app and continue with the MFA setup for their profile.
Duo Mobile can be used with this QR code method without needing a Duo Security paid subscription. Install Duo Mobile on the mobile device from the appropriate app store rather than the Google or Microsoft Authenticator, and scan the QR code.
Resetting a Pro User's MFA
Where TOTP is configured for MFA, it is possible to reset a Pro User MFA via the Edit User dialog in Passportal - once reset, the user will be prompted to setup MFA the next time they attempt to log into Passportal.
- Click on the 3 dots menu in the Actions column of the user
- Click Edit User
- The Edit User dialog opens to the right
- Click the Reset Google QR Code button
- Click Save
Where Duo is being used for MFA: The Duo Admin will need to reset MFA for the user via the Duo Administrator Panel. Please refer to Duo's documentation for directions.