AngelTrack supports various methods of two-factor authentication, to protect your account from credential-stealers that might find their way onto your computer.
Read this article to learn the various ways you can protect your accounts using multi-factor authentication, as well as require the same for all other users at your company.
For an overview of AngelTrack's security features, and guidance on securing a mobile EMS/fire operation, please visit the Security Guide.
Choice of 2FA Medium
You can use any of the following methods for 2FA on your AngelTrack user account:
- Email;
- SMS text message (USA only); or
- Authenticator app.
To learn more about email and SMS messaging in AngelTrack, please visit the Messaging Guide.
If you wish to use an Authenticator app, you can pick any of them that support the TOTP standard on SHA256, which is pretty much all of them. For example, you can use any of these:
- Aegis Authenticator
- 2FAS Authenticator
- Google Authenticator
- Twilio Authy Authenticator
- Okta Verify
DO NOT USE A NO-NAME AUTHENTICATOR APP. These days, mobile app stores are shark-infested waters. Please choose a mainstream or name-brand authenticator app, like those listed above; there are many no-name authenticator apps in the mobile app stores which may be up to no good.
You cannot use the Microsoft Authenticator app. We do not know why it does not work right for SHA256 TOTP codes.
Your selected authenticator app will provide you with backup capabilities, either to a file you can download to your PC, or to the cloud.
Using an Authenticator App on Multiple AngelTrack Servers
If you login to multiple AngelTrack servers, you can use the same authenticator app for all of them.
Each time you enable 2FA via authenticator app for a user account, AngelTrack will display a QR code that you will scan into your app. The QR code includes the server's name, so that you can differentiate the various servers apart by their names, like this:
- AT-firstcallems
- AT-reliableems
- AT-smithcounty
Requiring 2FA for Certain Security Roles or for All Users
On the Preferences page under Settings, you can configure which user roles in AngelTrack shall require two-factor authentication.
By default, AngelTrack requires it on Administrator accounts and on HR accounts, but you can change this, or require it everywhere.
Use the "Employees Missing HR Data" report, under HR Home, to see which user accounts have not yet activated 2FA.
Special Privileges for Accounts with 2FA
Any user account with 2FA enabled will enjoy twice the normal password-reset interval. For example, if your systemwide password reset interval is 90 days, then any user account with 2FA will only have to reset every 180 days.
If your user account has Administrator access, be sure to enable two-factor authentication. Any user account that has Administrator access but which does not have two-factor authentication will be automatically deactivated after 90 days of inactivity.
Allowing Direct Login with Authenticator App
In the "Security" section of the Preferences page available from Settings, there is an option to allow your users to directly login with their username plus their authenticator app code, skipping their password entirely.
When this option is enabled, AngelTrack will use longer authenticator codes than normal -- seven for regular employees, and eight for your Administrator account, instead of the usual six -- to reduce the odds of a guessing attack. (AngelTrack also has automatic account lockout to prevent guessing attacks.) See below for how to calculate these odds.
Please consult with your IT security export to discuss the pros and cons of this feature before implementing it. While it alleviates the constant grief of passwords, it increases the security exposure of a lost authenticator app. AngelTrack reduces this attack surface by not including full names or login names in the QR codes sent to the authenticator app, however an attacker with knowledge of your organization could probably guess a few usernames, allowing him to login using just the stolen authenticator app.
Attack surface area calculations
If this feature is enabled, and an attacker knows the login name of a user with a seven-digit authenticator code enabled, it will take the attacker about this long to brute force a successful login:
9,999,999 codes / 3 allowed time windows = 3,333,333 possibilities = 2,222,222 guesses needed for a likely login / 15-minute account lockout period = about 60 years of guessing
If the attacker knows ten usernames of authenticator-provisioned accounts, and brute-forces all of them in parallel, and if the attempt somehow evades AngelTrack's monitoring systems, then it would take about 6 years of guessing to access any one of the ten accounts. This is the worst-case scenario.
In any case, do not enable this option until you implement policy requiring fingerprint unlock on all associated mobile devices, with automatic wipe after ten failed attempts.
Temporarily Disabling 2FA on your Account
You can temporarily disable 2FA on your user account by visiting your Employee Self-Edit page and unchecking the ☑ Two-factor authentication during login tickybox.
If your AngelTrack server is configured to mandate 2FA on accounts with your security roles, then AngelTrack will start bugging you to re-activate it. You can snooze these reminders.
When you later re-enable 2FA on your account, AngelTrack will prompt you to re-verify a code, to make sure the authentication channel (email, SMS, or app) still works.