Document toolboxDocument toolbox

Keys for multifactor authentication

Owned by Pavel Novák
Last updated: Feb 15, 2023
2 min read

Shows the list of existing keys for multifactor authentication (for logging into the application). New keys can be added using the + ADD button above the list. Existing keys in the list can be renamed or deleted.

If there is no key present in the list, it means multifactor authentication is not being used. If there is at least one key present in the list, it will be requested as a second factor during login. Without it the login will not be possible. Therefore it is strongly recommended for at least two keys to be always present, so in case of losing one of them, the login will still be possible using the other one.

If all of the keys in the list are lost or inaccessible, login will not be possible. The only option will be to contact the administrator and request deletion of the lost keys for multifactor authentication.

The following two key types are supported:

TOTP

Keys are based on a shared secret, which is used to generate Time-based One Time Passwords needed for the login.

This type of keys is typically supported by mobile applications like: Google Authenticator, Microsoft Authenticator, Authy, Duo Mobile, etc.

After creating a new key of this type, the secret key, which needs to be entered into one of the above mentioned apps, is displayed this one time only. Usually it can be entered into the app by scanning the displayed QR code.

When using a key of this type, it is necessary to enter the current one time code, shown by the authentication application, when prompted during the login.

FIDO2

This is a new standard of the FIDO alliance (see HERE), also called WebAuthn. It is already supported by all modern web browsers and requires ownership of either a supported hardware key, like YubiKey 5, or using Windows Hello. It is based on an asymmetric cryptography using a private and public key and, especially in case of using the hardware based token, offers very high level of security.

When adding a new key of this type, a dialog of the operating system is usually shown on the web browser request, asking the user to use the desired key (press the Yubikey button for example), which results in the identification of the key, so it can be added to the application. If there are multiple keys available in the computer, for example both YubiKey and Windows Hello, the user must pay additional attention to which of the keys he wants to use. If a dialog of the operating system pops up, requesting a key, which the user does not want to use, it must be canceled, and another dialog with a request for the correct key should pop up.

This type of key might be optionally protected by a PIN code. In such a case the PIN must be entered when requested, otherwise the key cannot be used.