Configuring Two-Factor Authentication

Two-factor authentication adds an additional authentication level for enhanced login security. CSO uses username and password as the first level of user verification. Starting from Release 6.1.0, CSO supports configuring an optional second level of verification. The second level of verification mandates a user to authenticate through a verification code either sent through an e-mail (default option) or generated using an authentication server.

By default, two-factor authentication is disabled for all users. SP and OpCo administrators can enable or disable two-factor authentication in the Authentication page (Administration > Authentication), whereas tenant administrators can perform the same in the Tenant Settings page (Administration > Tenant Settings).

If an administrator enables two-factor authentication at the global, OpCo, or tenant-level, then all existing and new users under that level are automatically configured for two-factor authentication. For example, if an OpCo administrator enables two-factor authentication, then all the users under that OpCo are configured for two-factor authentication.

Individual users cannot disable two-factor authentication if it is enabled by the administrator. However, users can change the authentication method. The default authentication mechanism is e-mail OTP.
If two-factor authentication is disabled at the global, OpCo, or tenant-level, then individual users can choose to enable two-factor authentication. Users can also change the authentication mechanism.

For example, if two-factor authentication is disabled at the tenant-level, then tenant users are required to enter only the username and password to log into CSO. If individual users under that tenant want to use an additional verification level, then they can choose to enable two-factor authentication in the My Profiles page.
If the administrator enables two-factor authentication initially and then later disables it, then existing users continue to have two-factor authentication enabled. Existing users can opt to disable two-factor authentication in the My Profile page (Administration > My Profile).

However, two-factor authentication is disabled for new users. New users can enable two-factor authentication based on individual requirements.

Individual users can enable two-factor authentication if it is disabled. Users cannot disable two-factor authentication if it is enabled by the administrator.

Note:

If single sign-on (SSO) is enabled at the global or OpCo level, administrators cannot enable two-factor authentication for the users at that level.

Select Administration > My Profile.
The My Profile page appears.

Note:
If SSO is enabled in any of the scopes that the user is part of, then the My Profile page displays only the username as the user credentials are managed by the SSO server.
Click the toggle button to enable two-factor authentication.

CSO provides two methods for two-factor authentication—e-mail and TOTP authentication. E-mail is the default method. You can opt to select TOTP authentication.

To enable TOTP authentication:

Install a Time-Based One-Time Password (TOTP) authenticator application on your mobile phone. You can use a TOTP authenticator application such as Authy, Duo Mobile, or you can use an authenticator from Microsoft, LastPass, or Google.
Scan the QR code provided in the My Profile page using the authenticator application to register your mobile phone with CSO.
Enter the verification code generated by the authenticator application and click Verify.

After CSO verifies the code, TOTP authentication is enabled. When you log in to CSO, you are prompted for a verification code that is generated by the authenticator application.

If you change your mobile phone, click Change Phone to unregister the existing phone from CSO. To register the new phone with CSO, follow steps 1 through 3.

If you do not want to use the TOTP authentication method, click Delete.