2FA: Difference between revisions

From VoIPmonitor.org
(Created page with "== Two Factor Authentication (2FA) == It's possible to use 2FA from GUI's version 20. Be sure you have synchronized time on your GUI's server because 2FA pins(codes) are tim...")
 
(VS-1760: Document Always enable 2FA dialog option)
 
(6 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Two Factor Authentication (2FA) ==
= Two Factor Authentication (2FA) =


It's possible to use 2FA from GUI's version 20.
2FA is available from VoIPmonitor GUI version 20.


Be sure you have synchronized time on your GUI's server because 2FA pins(codes) are time limited.
== Prerequisites ==


=== Settings in the GUI ===
Ensure server time is synchronized (install NTP service) as 2FA codes are time-sensitive.


* user with admin permissions can activate 2FA's requirement for concrete user (in GUI->Users & Audit). When this user logs after this setting, then 2fa setup is required.
== GUI Settings ==
* admin user can delete actual 2FA secret from user's account (in GUI->Users & Audit)
* user can change/setup its 2FA secret in the section GUI->User settings->Change user auth. This option joins the password and the 2FA setting.
** follow the setup dialog


=== Setting of the 2FA code generator ===
* Admin users can enable 2FA requirement for any user in '''GUI > Users & Audit'''. Enabling requires setup.
* Admins can delete a user's 2FA secret in '''GUI > Users & Audit'''.
* Users can set/change 2FA (with password) in '''GUI > User Settings > Change User Auth'''. Follow the setup dialog.
* '''Always enable 2FA dialog''' (in Settings > System Configuration > Advanced): '''(New in 2026.1)''' Forces the 2FA input field to appear on the login screen for all users, regardless of their 2FA status. Useful for environments with external authentication systems that always require a 2FA code.
== 2FA Code Generator Setup ==


you can use various 2FA applications:
Use apps like:


* Google Authenticator for Android https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
* Google Authenticator for Android: https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2
* Google Authenticator for IOS https://itunes.apple.com/cz/app/google-authenticator/id388497605?mt=8
* Google Authenticator for iOS: https://itunes.apple.com/cz/app/google-authenticator/id388497605?mt=8
* Google Authenticator as plugin for Chrome Browser https://chrome.google.com/webstore/detail/google-authenticator/njkhnbmlaefgkjpaghgphiceaocdblgl
* Google Authenticator Chrome extension: https://chrome.google.com/webstore/detail/google-authenticator/njkhnbmlaefgkjpaghgphiceaocdblgl
* Authenticator plugin for Firefox https://addons.mozilla.org/en-US/firefox/addon/auth-helper/?src=search
* Authenticator Firefox addon: https://addons.mozilla.org/en-US/firefox/addon/auth-helper/?src=search


Import account setting from QR code into yours application and start to use it.
Scan QR code to import account and generate codes.


=== Problem solving ===
== Troubleshooting ==


* manual disabling of 2FA authentication for concrete user can be done directly in the database
=== Time Synchronization Issues (TOTP-based 2FA) ===
update users set secret = null, req_2fa = 0 where username = 'USER';
 
If you use TOTP-based apps (Google Authenticator, Authy, etc.) and receive "invalid code" errors, the server time may be out of sync. 2FA codes are time-sensitive.
 
* Ensure NTP service is installed and running:
<syntaxhighlight lang="bash">
# Debian/Ubuntu
sudo apt-get install ntp
sudo systemctl restart ntp
 
# CentOS/RHEL
sudo yum install ntp
sudo systemctl restart ntp
</syntaxhighlight>
 
* Force immediate time sync:
<syntaxhighlight lang="bash">
sudo ntpdate pool.ntp.org
</syntaxhighlight>
 
=== FortiToken Activation Issues ===
 
FortiToken uses a different mechanism than TOTP apps. If you receive an "invalid code" error during FortiToken activation:
 
* Do NOT attempt to fix via time synchronization - this will not solve FortiToken activation issues.
* Contact your '''VPN administrator''' to request a '''new activation code'''.
* Ensure the new code is used within its validity period (typically 24 hours).
* In the FortiTokenMobile app:
** Use the '''SCAN BAR CODE''' option with the new QR code, OR
** Manually enter the new activation string.
 
=== Disabling 2FA via Database ===
 
If you are locked out and cannot access the GUI, disable 2FA via database:
 
<syntaxhighlight lang="sql">
UPDATE users SET secret = NULL, req_2fa = 0 WHERE username = 'USER';
</syntaxhighlight>
 
== See Also ==
 
* [[User_Management]] - User management and permissions
* [[Google_Sign_in_usage]] - Google OAuth 2.0 integration
* [[Microsoft_Sign_in_usage]] - Microsoft Entra ID / Azure AD integration
 
 
== AI Summary for RAG ==
 
'''Summary:''' Two-Factor Authentication (2FA) is available from VoIPmonitor GUI version 20. Prerequisites include NTP time synchronization as TOTP codes are time-sensitive. Admin users enable/disable 2FA requirement per user via GUI > Users & Audit. Users configure their 2FA via GUI > User Settings > Change User Auth by scanning a QR code with an authenticator app (Google Authenticator, Authy, etc.). Troubleshooting covers time sync issues (install NTP, run ntpdate) and FortiToken activation problems (requires new activation code from VPN admin). If locked out, 2FA can be disabled via database by setting secret=NULL and req_2fa=0 for the user.
 
'''Keywords:''' 2FA, two-factor authentication, TOTP, Google Authenticator, Authy, FortiToken, QR code, NTP, time synchronization, GUI version 20, locked out, disable 2FA, database
 
'''Key Questions:'''
* What version of VoIPmonitor GUI supports 2FA?
* Why is time synchronization required for 2FA?
* How do admins enable or disable 2FA for users?
* How do users set up 2FA in VoIPmonitor?
* What apps can generate 2FA codes for VoIPmonitor?
* How to disable 2FA via database if locked out?
* Why doesn't time sync fix FortiToken activation issues?
 
[[Category:Authentication]]
[[Category:Configuration]]
[[Category:GUI manual]]

Latest revision as of 15:28, 19 January 2026

Two Factor Authentication (2FA)

2FA is available from VoIPmonitor GUI version 20.

Prerequisites

Ensure server time is synchronized (install NTP service) as 2FA codes are time-sensitive.

GUI Settings

  • Admin users can enable 2FA requirement for any user in GUI > Users & Audit. Enabling requires setup.
  • Admins can delete a user's 2FA secret in GUI > Users & Audit.
  • Users can set/change 2FA (with password) in GUI > User Settings > Change User Auth. Follow the setup dialog.
  • Always enable 2FA dialog (in Settings > System Configuration > Advanced): (New in 2026.1) Forces the 2FA input field to appear on the login screen for all users, regardless of their 2FA status. Useful for environments with external authentication systems that always require a 2FA code.

2FA Code Generator Setup

Use apps like:

Scan QR code to import account and generate codes.

Troubleshooting

Time Synchronization Issues (TOTP-based 2FA)

If you use TOTP-based apps (Google Authenticator, Authy, etc.) and receive "invalid code" errors, the server time may be out of sync. 2FA codes are time-sensitive.

  • Ensure NTP service is installed and running:
# Debian/Ubuntu
sudo apt-get install ntp
sudo systemctl restart ntp

# CentOS/RHEL
sudo yum install ntp
sudo systemctl restart ntp
  • Force immediate time sync:
sudo ntpdate pool.ntp.org

FortiToken Activation Issues

FortiToken uses a different mechanism than TOTP apps. If you receive an "invalid code" error during FortiToken activation:

  • Do NOT attempt to fix via time synchronization - this will not solve FortiToken activation issues.
  • Contact your VPN administrator to request a new activation code.
  • Ensure the new code is used within its validity period (typically 24 hours).
  • In the FortiTokenMobile app:
    • Use the SCAN BAR CODE option with the new QR code, OR
    • Manually enter the new activation string.

Disabling 2FA via Database

If you are locked out and cannot access the GUI, disable 2FA via database: 

UPDATE users SET secret = NULL, req_2fa = 0 WHERE username = 'USER';

See Also


AI Summary for RAG

Summary: Two-Factor Authentication (2FA) is available from VoIPmonitor GUI version 20. Prerequisites include NTP time synchronization as TOTP codes are time-sensitive. Admin users enable/disable 2FA requirement per user via GUI > Users & Audit. Users configure their 2FA via GUI > User Settings > Change User Auth by scanning a QR code with an authenticator app (Google Authenticator, Authy, etc.). Troubleshooting covers time sync issues (install NTP, run ntpdate) and FortiToken activation problems (requires new activation code from VPN admin). If locked out, 2FA can be disabled via database by setting secret=NULL and req_2fa=0 for the user.

Keywords: 2FA, two-factor authentication, TOTP, Google Authenticator, Authy, FortiToken, QR code, NTP, time synchronization, GUI version 20, locked out, disable 2FA, database

Key Questions:

  • What version of VoIPmonitor GUI supports 2FA?
  • Why is time synchronization required for 2FA?
  • How do admins enable or disable 2FA for users?
  • How do users set up 2FA in VoIPmonitor?
  • What apps can generate 2FA codes for VoIPmonitor?
  • How to disable 2FA via database if locked out?
  • Why doesn't time sync fix FortiToken activation issues?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=2FA&oldid=10780"