Configure Two-Factor Authentication for Cloud Privilege Broker Using a Time-Based One-Time Password

BeyondTrust supports two-factor authentication options using a time-based one-time password (TOTP). TOTP integrates with two-factor authentication apps. The end user must install one of these apps, such as Google Authenticator or Microsoft Authenticator, to register their device. As part of the configuration process, the user must register this two-factor app with BeyondTrust.

Configure TOTP Two-Factor Authentication Settings

Screenshot of  authentication options on Configuration page.

  1. Select Configuration > Role Based Access > Authentication Options.

 

Screenshot of TOTP Two-Factor Authentication settings.

  1. In the TOTP Two-Factor Authentication pane, set the following:
    • Skew Intervals : Considers how many prior tokens are valid/accepted. You can increase this value from the default if a lag is anticipated in the synchronization between the server and client.
    • Enable for new directory accounts
    • Enable for new local accounts
  1. Click Update TOTP Two-Factor Authentication Options.

 

Set TOTP Two-Factor Authentication

Screen Capture of Two-Factor Authentication Options

Two-factor authentication is set when a new user is created. You can automatically set two-factor authentication for all new users under TOTP Two-Factor Authentication Settings.

  1. Select Configuration > Role Based Access > User Management > Users > Create New User.
  2. At the bottom of the new user settings, select TOTP under Two Factor Authentication.

 

Register a Device

The first time a new user logs in, they must register their device with a multiple authenticator app.

Screen Capture of Two-Factor Authentication Options

  1. Download an authenticator app.
  2. Scan the QR code or manually enter the alphanumeric code into the authenticator app. Once the code is detected, the app generates a 6-digit Authenticator Code.
  3. Enter the code into the Authenticator Code field and click Continue. This activates the user device.
  4. Click Continue to Login, then enter login credentials.
  5. Enter 6-digit code again.
  6. Click Submit.

The authenticator app generates a new code roughly every 30 seconds.

 

View and Edit TOTP Two-Factor Authentication

Screen Capture of User Details

You can view and edit two-factor authentication in User Details.

  1. Select Configuration > Role Based Access > User Management.
  2. Find the user and click the ellipsis on the right side to View User Details or Edit User Details.

 

Unregister a Device

Screen Capture of User Details

Both administrators and users can remove, or unregister, the device.

Administrators:

  1. Select Configuration > Role Based Access > User Management
  2. Find the user and click the ellipsis on the right side.
  3. Select Edit User Details.
  4. At the bottom of the screen, click Remove Device.

 

 

Screen Capture of User Details

Users:

  1. Select Account Settings under Profile and Preference on the top left of the screen.
  2. Select Two-Factor Authentication.
  3. Click Replace Authenticator App.
  4. To re-register the app, click Reconfigure Authenticator App.

 

Users may not enable both RADIUS and TOTP.  Only one two-factor authentication option may be selected.