Two-factor authentication is a common method for verifying the identity of your users. It authenticates users based on two conditions: something they know and something they have. If a user logs in with their username and password, a SMS message or an email with a one time random access code will be sent to the user to input prior to getting access. The username and password are known to the user, and the random code is sent to a device the user owns.Why You Need Two-Factor Authentication
Even if someone has your username and password for your account, they will not be able to login to your account without access to your text messages or email account.
How It Works?
You enable two-factor authentication on a per user basis. When a user logs in with a valid username and password an extra input field will appear requesting the one time access code that was sent to them automatically via email or SMS during their initial login. This simple step is required every time a user logs in and is valid for that login session only. Should the SMS message fail to get sent, the authentication system will fall back to sending the access code via email even if 'Authentication by Email' is not enabled. For users without any two-factor authentication enabled they will not be required to enter any access code.
From your Account Settings
page > Users
, select a User to edit and set the two-factor authentication preferences.
Note: You can force your users current login session to expire so they must login again and use any new settings you may have applied to their settings.
Login Session Duration
When a user successfully logs in they are given a unique login session ID. By default this ID is valid for a period of 90 days before they will need to login again. You can change the length of time these sessions are valid for in your Account Settings
, under Login Session Duration
. From this menu you can also clear any current login sessions for the account forcing ALL
users to login again.
If you have setup some integration or API access points that do not support two-factor authentication then you can leave two-factor authentication disabled for these specific user accounts.