How to configure 2FA for Crowd: U2F & TOTP?
Note! U2F devices work only with a secure HTTPS connection. If you want to use U2F devices, make sure that your instance is already using it.
Step 1. Go to the Crowd Administration tab and select Manage apps section.
Step 2. On the left side menu panel find 2FA Configuration.
2FA configuration page
Below you will find a detailed description of 2FA configuration:
TOTP settings:
Timestep is the interval in seconds between the previous and the new generation of the PIN code. By default, all Authenticators use 30 seconds. Change it only if you are using your own Authenticator with a different value.
Label will be displayed by the mobile Authenticator as an identifier for the underlying Atlassian application.
Key size is the length of the generated secret key (needed for TOTP algorithm). By default, all Authenticators use 8. Change it only if you are using your own Authenticator with a different value.
Force settings:
4. None - if you choose this option, 2FA will not be compulsory for Crowd users. If you need to make it compulsory - use others below.
5. All - it’s compulsory for all users.
6. Groups - it’s compulsory only for selected groups of users.
7. All except groups - it’s compulsory for all groups of users except chosen groups.
8. Directories - it’s compulsory only for selected Directories.
9. All except directories - it’s compulsory for all user directories except chosen directories.
10. Type existing groups or directories to enable compulsory 2FA for chosen groups or directories.
IP whitelist settings
11. Mark the checkbox Enable IP whitelist to enable whitelist of IP addresses that pass without a 2FA check.
12. IP configuration - enter the desired IP address.
13. Enter the IP comment to recognize the IP address from the list (not required).
14. Applies to:
All - if the user’s IPs are retrieved from all IP headers.
LAN - if the user’s internal IPs are retrieved from headers.
15. Click Add filter button to add IP to whitelist and Delete to delete IP from the whitelist.
You can find more information about IP whitelist settings here!
Relative URLs whitelist settings
Enter the relative URLs of other plugins, it allows you to access them without a second authentication factor.
Please note: Each URL should be a separate row.
Authentication Log settings
16. Mark the checkbox Enable authentication log to allow logging all action with 2FA For example: adding or remove the device, log it into the system with Authenticator or U2F device.
17. If you want to clear the logs select the retention period and click the Clear logs button.
18. Clear log history. One-time deletes the log history except for the retention period.
After log history clearing all-new authentication logs will be saved in the application regardless of the selected log history period until you clear it again.
You can find more information about Authentication Log here!
"Remember me" settings
19. Enable "Remember me" feature checkbox. This option will allow end-users to use “Remember me” feature on Login Screen and ignore Second Factor Authentication.
Please note: This feature will be useful if during the day you often log out and log in to Crowd, but you have to make sure that using this feature complies with the security requirements in your company.
20. Set the desired session expiry in hours (max number is 336 hours).
“Brute Force” settings
21. Enable Brute Force Protection. This will lock out a user for a specified amount of time if that user generates the specified number of login failures.
22. Number of Attempts - specified number of login failures after which user will be locked out.
23. Lockout Period - a specific amount of time during which the user will be locked out.
Plugin settings
24. Reset to defaults. This action will restore plugin settings to defaults and delete users' authentication settings.
25. Mark the checkbox Enable "Skim by" feature. For users that don't have permission to log in to Crowd Application, it allows free pass.
26. Mark the checkbox Enable Plugin to enable the plugin.
27. Mark the checkbox Enable U2F devices to allow users to add U2F devices. Uncheck it if only TOTP code is allowed.
28. Mark the checkbox Enable Duo Security Support to enable support for Duo Authenticator.
Note: Enabling DUO support allows users to successfully apply valid TOTP code from the DUO mobile app and avoid “Authentication failed” message.
29. Click the Save button to save the configuration.