Configure TOTP Two-Factor Authentication for BeyondInsight and Password Safe

BeyondTrust supports two-factor authentication options using a time-based one-time password (TOTP). TOTP integrates with two-factor authentication apps. The end user must install one of these apps, such as Google Authenticator or Microsoft Authenticator, to register their device. As part of the configuration process, the user must register this two-factor app with BeyondTrust. The below sections detail how to configure TOTP two-factor authentication settings, apply TOTP authentication to user accounts in BeyondInsight, and how to register their authenticator app device with BeyondTrust.

Configure TOTP Two-Factor Authentication Settings

  1. In BeyondInsight, navigate to Configuration > Authentication Management > Authentication Options.

Configure Active Directory settings for TOTP authentication in BeyondInsight

  1. Under TOTP Two-Factor Authentication, set the following:
    • Skew Intervals: Considers how many prior tokens are valid and accepted. You can increase this value from the default if a lag is anticipated in the synchronization between the server and client.
    • Enable for new directory accounts
    • Enable for new local accounts
  2. Click Update TOTP Two-Factor Authentication Options.

 

Set TOTP Two-Factor Authentication on User Accounts

The type of two-factor authentication can be set on a user account when a new user is created or when editing an existing user account. You can enable TOTP two-factor authentication for all new users from Authentication Options > TOTP Two-Factor Authentication settings, as indicated in the above section.

  1. In BeyondInsight, navigate to Configuration > Role Based Access > User Management > Users.
  2. To create a new user, click Create New User. To edit an existing user, click the vertical ellipsis for the account and select Edit User Details.

Set TOTP Two-Factor Authentication Option on a User Account in BeyondInsight

  1. At the bottom of the user account settings, select TOTP from the Two-Factor Authentication list.

 

Register an Authenticator Application Device

The first time a new user logs in, they must register their device with an authenticator app, as follows.

Two-Factor Authentication QR Code Screen

  1. Download an authenticator app.
  2. Scan the QR code or manually enter the alphanumeric code into the authenticator app. Once the code is detected, the app generates a 6-digit authenticator code.
  3. Enter the code into the Authenticator Code field, and then click Continue. This activates the user's device.
  4. Click Continue, and then enter login credentials.
  5. Enter 6-digit code again.
  6. Click Submit.

 

The authenticator app generates a new code roughly every 30 seconds.

 

 

Unregister an Authenticator Application Device

Administrators can unregister a device by removing it from a user account. Users can remove a device from their own account only.

Steps for Administrators

  1. Navigate to Configuration > Role Based Access > User Management > User
  2. Find the user and click the vertical ellipsis for the user.
  3. Select Edit User Details.
  4. Scroll to the bottom of the user's details, and under Two-Factor Authentication, click Remove Device.

Steps for Users

Profile and Preferences box where you can access Account Settings.

  1. Click the Profile and preferences icon in the top right corner of the BeyondInsight console.
  2. Click Account Settings.

 

My Account - Two-Factor Authentication

  1. Select Two-Factor Authentication.
  2. Click Replace Authenticator App.
  3. To register the app again, click Reconfigure Authenticator App.

 

Users may not enable both RADIUS and TOTP.  Only one two-factor authentication type may be selected.