Configuring 2 Step Authentication
Situation | You want to help protect your organizations from unauthorized access by requiring users to enter an additional code when logging in. |
---|---|
Solution |
See below for information on:
|
What is 2 Step Authentication?
2 step authentication can be used to help protect your organization from unauthorized access by requiring two methods (authentication factors) to verify users' identity when logging into Proofpoint Essentials. 2 step authentication helps protect against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.
What Happens when You turn on 2 Step Authentication?
Authentication Method: SMS
Once 2 step authentication has been enabled for your organization, whenever a user attempts to login, they will be prompted to enter both their password and a passcode sent to their mobile number.
When a user has successfully logged in, they will not be prompted to enter another passcode for 12 hours, however, if a user clears their browser cookies, they will be prompted to enter a new passcode upon their next login.
Important: To ensure users can receive a passcode via the SMS authentication method, all in scope users must have a valid mobile number assigned to their account. In the absence of a valid mobile number, users will be unable to login if two step authentication is enabled.
How do I Enable 2 Step Authentication?
Enable Two Step Authentication
- Navigate to Administration > Account Management > Authentication
- Click Manage 2 Step Authentication
- Click the toggle to enable 2 Step Authentication
- Choose the users that you want to include in 2 step authentication scope:
All users - All users within the organization will need to enter a passcode upon logging in.
Admin Only - Only Admin users within the organization will need to enter a passcode upon logging in.
- Click Save
- Click Confirm on the Update summary.
For Reseller Admins
Resellers can force this upon a customer through the steps above. However, there is no validation checks applied to see if an admins has a phone number applied. Please ensure the users have a phone number applied, or updated going forward per the FAQ section.
For Organization Admins
When turning on 2FA, the system validates if you have a mobile phone number on your account first. If one does not exist, you cannot complete the set-up. See the FAQ section on the phone number fields.
If no number exists, a red box error will appear stating: Unable to turn on 2 Step Authentication. Please enter a valid mobile number on your user profile before enabling this feature.
How do I Disable 2 Step Authentication?
Disable two Step Authentication
- Navigate to Administration > Account Management > Authentication
- Click Manage 2 Step Authentication
- Click the toggle to disable 2 Step Authentication
- Click Save
- Click Confirm on the Update summary.
FAQ
How will I know if two step authentication is enabled or disabled? Navigate to Administration > Account Management > Authentication and check the status of the setting in the 2 step authentication section - Enabled (Green) or Disabled (Grey)
Will I receive any notifications if two step authentication settings have changed?
Yes, upon changing the status or scope of 2 step authentication, an email will be sent to the organization tech contact informing them of the change.
How can I update a user's phone numbers to use the SMS authentication factor?
Locate the user then navigate to Profile Page > Mobile Number.
If you use a sync service, the phone number needs to be in your sync service. Otherwise the sync will wipe out any manual additions to the phone number field
Will a user's mobile numbers sync over Active Directory or Azure Directory sync?
Yes, we sync both Active Directory and Azure Directory mobile number fields.
It will only sync the number from the Mobile Number field, not the other phone numbers field.
Will CSV Import support the ability to add a mobile number?
Yes, we've extended CSV Import to include a new mobile number field.
Do all my users need a valid phone number to login if 2 step authentication is enabled?
Yes, please ensure all in-scope user accounts (including your own) have a valid mobile number. Users without a valid mobile number will not receive a one-time passcode and will be unable to log in.
If I have an account on multiple sites, will I be prompted to enter a passcode for each account?
To ensure a greater security posture across all sites, if you have multiple accounts, you will be required to enter a passcode when logging in, per account, per site. Upon a successful login, you will not be prompted to enter another passcode for 12 hours.
Can I reset my password when 2 step authentication is turned on?
Yes, users can use the existing reset password functionality to reset their password over email. If 2 step authentication is enabled with SMS as the authentication method, users will not have the option to reset their password via SMS.
Will two step authentication work with my SSO provider?
2 step authentication configured in essentials is only applicable to local accounts, however you can use your identity providers 2 step authentication process to login to essentials.