Configure Two-Factor Authentication for BeyondInsight and Password Safe Using a Time-Based One-Time Password

BeyondTrust supports two-factor authentication options using a time-based one-time password (TOTP). TOTP integrates with two-factor authentication apps. The end user must install one of these apps, such as Google Authenticator or Microsoft Authenticator, to register their device. As part of the configuration process, the user must register this two-factor app with BeyondTrust.

Configure TOTP Two-Factor Authentication Settings

  1. Navigate to Configuration > Authentication Management > Authentication Options.

Screenshot of TOTP Two-Factor Authentication settings.

  1. Under TOTP Two-Factor Authentication, set the following:
    • Skew Intervals: Considers how many prior tokens are valid and accepted. You can increase this value from the default if a lag is anticipated in the synchronization between the server and client.
    • Enable for new directory accounts
    • Enable for new local accounts
  2. Click Update TOTP Two-Factor Authentication Options.


Set TOTP Two-Factor Authentication on User Accounts

The type of two-factor authentication can be set on a user account when a new user is created or when editing an existing user account. You can enable TOTP two-factor authentication for all new users from Authentication Options > TOTP Two-Factor Authentication settings, as indicated in the above section.

  1. Select Configuration > Role Based Access > User Management > Users > Create New User.

Screen Capture of TOTP Two-Factor Authentication Option on a User Account

  1. At the bottom of the user account settings, select TOTP from the Two Factor Authentication list.


Register a Device

The first time a new user logs in, they must register their device with a multiple authenticator app.

Screen Capture of Two-Factor Authentication QR Code Screen

  1. Download an authenticator app.
  2. Scan the QR code or manually enter the alphanumeric code into the authenticator app. Once the code is detected, the app generates a 6-digit authenticator code.
  3. Enter the code into the Authenticator Code field, and then click Continue. This activates the user's device.
  4. Click Continue, and then enter login credentials.
  5. Enter 6-digit code again.
  6. Click Submit.


The authenticator app generates a new code roughly every 30 seconds.


View and Edit TOTP Two-Factor Authentication

Screen Capture of User Details

You can view and edit two-factor authentication in User Details.

  1. Select Configuration > Role Based Access > User Management > Users.
  2. Find the user and click the ellipsis on the right side to View User Details or Edit User Details.


Unregister a Device

Administrators can unregister a device by removing it from a user account. Users can remove a device from their own account only.


  1. Select Configuration > Role Based Access > User Management
  2. Find the user and click the ellipsis on the right side.
  3. Select Edit User Details.

Screenshot of Edit User highlighting the Remove Device option

  1. At the bottom of the screen, click Remove Device.



Screenshot of the Profile and Preferences box where you can access Account Settings.

  1. Click the Profile and preferences icon in the top right corner.
  2. Click Account Settings.


Screen Capture of User Details

  1. Select Two-Factor Authentication.
  2. Click Replace Authenticator App.
  3. To register the app again, click Reconfigure Authenticator App.


Users may not enable both RADIUS and TOTP.  Only one two-factor authentication option may be selected.