Transitioning from Previous Forms of Two-Factor Authentication (Email Codes)
The two-factor authentication method previously in place, known as robust authentication, relied on email codes to verify the user's identity. With BeyondTrust Privileged Remote Access version 17.1, this method has been deprecated and replaced with two-factor authentication using a time-based, one-time password (TOTP).
Users who were receiving codes to log in will be automatically upgraded to two-factor authentication. When logging in, they will see a message indicating that login codes by email have been deprecated and instructing them to use a time-based, one-time password capable device.
The user may, however, continue to use email codes until they register an authenticator app, such as Google Authenticator. This not only ensures backwards compatibility with existing security settings for a user's account, but also takes into consideration that an app or device may not be immediately available.
In this scenario, a user would continue to see a request to register an authenticator app until they begin using the new two-factor authentication method. Once the user registers an app and begins using the new method, the email code option is permanently disabled.
Because email codes are no longer an admin option, the feature cannot be re-enabled once the user begins using the new method.
A user could request that the administrator stop pushing requests for a device-based two-step authentication at each login. The admin has the option to do so by changing the user's permission from Required to Optional under the user's account settings. However, this will also disable emailed login codes permanently. BeyondTrust does not recommend this procedure, since it degrades the security level on that user's account. It is a best practice and highly recommended that two-factor authentication be enabled.