How to configure 2FA for Crowd: U2F & TOTP?
Note! U2F devices work only with a secure HTTPS connection. If you want to use U2F devices, make sure that your instance is already using it.
Step 1. Go to the Crowd Administration tab and select Manage apps section.
Step 2. On the left side menu panel find 2FA Configuration.
2FA configuration page
Below you will find a detailed description of 2FA configuration:
TOTP settings:
Timestep is the interval in seconds between the previous and the new generation of the PIN code. By default, all Authenticators use 30 seconds. Change it only if you are using your own Authenticator with a different value.
Label will be displayed by the mobile Authenticator as an identifier for the underlying Atlassian application.
Key size is the length of the generated secret key (needed for TOTP algorithm). By default, all Authenticators use 8. Change it only if you are using your own Authenticator with a different value.
WebAuthn General Settings
WebAuthn Relying Parties use Attestation Type to specify their preference regarding attestation conveyance during credential generation.
None indicates that the Relying Party is not interested in authenticator attestation. For example, in order to potentially avoid having to obtain user consent to relay identifying information to the Relying Party, or to save a roundtrip to an Attestation CA.
Indirect indicates that the Relying Party prefers an attestation conveyance yielding verifiable attestation statements, but allows the client to decide how to obtain such attestation statements. The client MAY replace the authenticator-generated attestation statements with attestation statements generated by an Anonymization CA, in order to protect the user’s privacy or to assist Relying Parties with attestation verification in a heterogeneous ecosystem.
Direct indicates that the Relying Party wants to receive the attestation statement as generated by the authenticator.
Authenticator Type makes further restrictions on the type of authenticators allowed for registration.
Platform indicates platform attachment. A platform authenticator is attached using a client device-specific transport, called platform attachment, and is usually not removable from the client device. A public key credential bound to a platform authenticator is called a platform credential.
Cross-platform indicates cross-platform attachment. A roaming authenticator is attached using cross-platform transports, called cross-platform attachment. Authenticators of this class are removable from, and can "roam" among client devices. A public key credential bound to a roaming authenticator is called a roaming credential.
WebAuthn Advanced Settings
User Verification requires for the login and registration operations.
Discouraged indicates that the Relying Party does not want user verification employed during the operation (e.g., in the interest of minimizing disruption to the user interaction flow).
Preferred indicates that the Relying Party prefers user verification for the operation if possible, but will not fail the operation if the response does not have the UV flag set.
Required indicates that the Relying Party requires user verification for the operation and will fail the operation if the response does not have the UV flag set.
Register with Resident Key allows login by proving a local PIN on the device.
Permission settings
Set trusted users or groups. It allows them to manage users' accesses or bulk reset authentication settings.
None stands for no trusted users.
Users option allows to specify users, who will be trusted with priveledges to manage other users' access options.
Groups option allows to specify groups of users, who will be trusted with priveledges to manage other users' access options.
Enable Trusted Bulk Reset checkbox allows trusted users to bulk reset authentication settings.
Force settings
None makes 2FA not compulsory for access.
All makes 2FA compulsory for all users.
Groups option enforces 2FA for selected groups of users.
All except groups option allows you to choose а certain group of users who will be able to log in without using the second authentication factor when all other users will be forced to use the application.
Directories enforce 2FA to access the mentioned directories.
All except directories option allows you to choose а certain directories which can not be accessed without using the second authentication factor when all other directories can be accessed.
A special field for entering the list of “Groups to force / Groups to except / Directories to force / Directories to except” separated by commas.
IP whitelist settings
Mark the checkbox Enable IP whitelist to enable the whitelist of IP addresses that are passed without a 2FA check.
Click ‘Add Filter’ button to enter IP(s).
IP configuration - enter the desired IP address.
Enter the IP comment to recognize the IP address from the list (not required).
Applies to:
All - if the user’s IPs are retrieved from all IP headers.
LAN - if the user’s internal IPs are retrieved from headers.
Click Add filter button to add IP to the whitelist and Cancel to discard changes.
You can find more information about IP whitelist settings here!
Relative URLs whitelist settings
Enter the relative URLs of other plugins, it allows you to access them without a second authentication factor.
Please note: Each URL should be a separate row.
Authentication Log settings
Mark the checkbox Enable authentication log to allow logging all actions with 2FA. For example: adding or removing the device, log it into the system with Authenticator or U2F device.
If you want to clear the logs after some particular time, select the history period.
Clear log history is a one-time deletion of the log history except for the history period.
After log history clearing all-new authentication logs will be saved in the application regardless of the selected log history period until you clear it again.
You can find more information about Authentication Log here!
"Remember me" settings
Enable "Remember me" feature checkbox. This option will allow end-users to use “Remember me” feature on Login Screen and ignore Second Factor Authentication.
Please note: This feature will be useful if during the day you often log out and log in to Crowd, but you have to make sure that using this feature complies with the security requirements of your company.
The lifetime is to set the desired session expiry in hours (max number is 336 hours).
“Brute Force” settings
Enable Brute Force Protection checkbox locks out a user for a specified amount of time if that user generates the specified number of login failures.
Number of Attempts specifies the number of login failures after which the user will be locked out.
Lockout Period is a specific amount of time during which the user will be locked out.
Plugin settings
Reset to defaults will restore plugin settings to defaults and delete users' authentication settings.
Enable "Skim by" feature allows a free pass for users who don't have permission to log in to Crowd Application.
Enable U2F devices allows to add U2F devices. Uncheck it if only TOTP code is allowed.
Enable Duo Security Support is to enable support for Duo Authenticator.
Note: Enabling DUO support allows users to successfully apply valid TOTP code from the DUO mobile app and avoid “Authentication failed” message.
REST API restriction will restrict all REST requests for users with enabled 2FA (until successful login with TOTP or U2F key).
Enable Auto Submit on Login Form forces the form to be auto-submitted after TOTP was entered (no need to click Submit button).
Hide "Deactivate 2FA Protection" button deactivates 2FA Protection only for non-admin users.
Click the Save button to save the configuration.