Two-Factor Authentication (2FA) [In Progress]

Introduction

Two-Factor Authentication (2FA) using Time-based One-Time Password (TOTP) enhances login security for Dell Cyberstorage Eyeglass by requiring users to verify their identity using a second authentication factor. This feature significantly reduces the risk of unauthorized access resulting from compromised credentials while maintaining a simple and user-friendly login experience.

2FA strengthens enterprise-grade security by:

• Preventing unauthorized access from compromised credentials
• Improving customer trust and meeting compliance requirements
• Providing audit trails for security events
• Supporting industry-standard authenticator applications

Security Goals

The 2FA implementation addresses critical security objectives:

• Prevent Unauthorized Access: Protect against credential compromise by requiring a second authentication factor
• Ensure Enterprise-Grade Security: Meet compliance and security requirements for enterprise deployments
• Maintain a Simple User Experience: Provide intuitive login workflows
• Enable Audit Capability: Log all 2FA events for security monitoring and compliance

Prerequisites

Supported Authenticator Applications

The 2FA implementation uses TOTP (Time-based One-Time Password) and supports the following authenticator application:

• Google Authenticator: Industry-standard TOTP authenticator app available for iOS and Android devices

User Prerequisites

Before enabling 2FA, ensure the following prerequisites are met:

• Active Directory Configuration: AD users should have a valid email address or UPN (User Principal Naming) configured that matches their email
• Mail Server Configuration: You must configure a mail server in Eyeglass for sending 2FA enrollment emails
• Authenticator App: You must install Google Authenticator on their mobile device or workstation

System Prerequisites

• Eyeglass Version: Ensure your Eyeglass appliance is running a version that supports 2FA
• TOTP Library: The required TOTP validation library is installed automatically during system updates
• Encryption: 2FA secrets are stored encrypted at all times for security

User Exclusions

The following user types are automatically excluded from 2FA verification regardless of system configuration:

• Local Users: System-level local accounts are exempt from 2FA
• Administrator Role: Users with the Administrator role are excluded from 2FA requirements

info

This exclusion ensures that administrative access remains available even if 2FA systems experience issues, preventing lockout scenarios.

Configuration

Enable or Disable 2FA Globally

Use the igls command-line interface to manage the global 2FA status. By default, 2FA is enabled on the system.

Check 2FA Status

To verify the current 2FA configuration:

igls auth 2fa --command status

Enable 2FA

To enable 2FA globally across the system:

igls auth 2fa --command enable

Disable 2FA

To disable 2FA globally:

igls auth 2fa --command disable

warning

Disabling 2FA reduces security by removing the second authentication factor. Only disable 2FA if absolutely necessary for troubleshooting or during maintenance windows.

Enforce 2FA for All Logins

By default, 2FA is not enforced, allowing users to opt-in to enrollment. When enforcement is enabled, all eligible users (excluding local and administrator accounts) must complete 2FA enrollment before accessing the system.

Enable 2FA Enforcement

To require 2FA for all eligible users:

igls auth 2fa --command enforce

Disable 2FA Enforcement

To make 2FA optional:

igls auth 2fa --command no-enforce

User Enrollment

Self-Service Enrollment

Users can enroll in 2FA during the login process if they have not yet configured their authenticator app.

Enrollment Workflow

1. Navigate to Login Page: Access the Eyeglass web interface login page
2. Enter Credentials: Provide username and password
3. Credential Validation: System validates credentials against Active Directory or local authentication
4. 2FA Prompt: If 2FA is enabled and not yet enrolled, user sees enrollment option
5. Request Enrollment: Click "2FA Enrollment" button
6. Email Delivery: System sends enrollment email with instructions and QR code
7. Configure Authenticator: Follow email instructions to scan QR code or enter manual setup key
8. Complete Login: Return to login page and enter TOTP code from authenticator app

Enrollment Email

The enrollment email contains:

• QR Code: Scan with Google Authenticator for automatic configuration
• Manual Setup Key: Alternative text-based setup code for manual entry
• Instructions: Step-by-step guidance for configuring the authenticator app
• Security Information: Important security considerations and best practices

tip

If the enrollment email fails to send, an error message will be displayed. Users should contact their administrator for assistance with enrollment.

Administrator-Assisted Enrollment

Administrators can initiate 2FA enrollment for users who experience issues with self-service enrollment.

Enroll User via Command Line

igls auth 2fa --command enroll --user <username> --mail <userEmail>

Parameters:

• --user <username>: The username of the user to enroll (required)
• --mail <userEmail>: The email address where enrollment instructions will be sent (required)

Enrollment Success

Upon successful enrollment:

Letter with enrollment has been sent to <userEmail>

Enrollment Failure

If the email cannot be sent, an error message will be displayed:

Failed to send enrollment email: <error details>
Postponed sent failure. If non-existed <userEmail> was used for enrollment or MailServers has some issues sending mail, administrator would get corresponded e-mail to the account registered with the mail server
Please troubleshoot mail server configuration or contact support

info

Verify that the mail server is properly configured in Eyeglass before attempting administrator-assisted enrollment.

Login Workflow

2FA Disabled

When 2FA is globally disabled:

1. User submits credentials (username and password)
2. If credentials are valid → Access granted without 2FA prompt
3. If credentials are invalid → Access denied with error message

2FA Enabled (Not Enforced)

When 2FA is enabled but not enforced:

1. User submits credentials (username and password)
2. System validates credentials:
   • Invalid credentials → Access denied with error message
   • Valid credentials → Check user type
3. System checks if user is excluded:
   • Local user or Administrator role → Access granted without 2FA prompt
   • Active Directory user → Check enrollment status
4. If user is not enrolled:
   • Option to enroll → User can request enrollment email
   • Skip enrollment → Access granted (when not enforced)
5. If user is enrolled:
   • Prompt for TOTP code → User enters 6-digit code from authenticator app
   • Valid code → Access granted
   • Invalid code → Access denied with error message

2FA Enabled and Enforced

When 2FA is enabled and enforced:

1. User submits credentials (username and password)
2. System validates credentials:
   • Invalid credentials → Access denied with error message
   • Valid credentials → Check user type
3. System checks if user is excluded:
   • Local user or Administrator role → Access granted without 2FA prompt
   • Active Directory user → Show 2FA pop-up window
4. If user is not enrolled:
   • Request enrollment email → Follow enrollment workflow
   • Access denied until enrollment complete
5. If user is enrolled:
   • Prompt for TOTP code → User enters 6-digit code from authenticator app
   • Valid code → Access granted
   • Invalid code → Access denied with error message

TOTP Code Validation

Valid TOTP Code

• Format: 6-digit numeric code
• Time Window: Code is valid for 30 seconds (standard TOTP interval)
• Synchronization: System clock must be synchronized for accurate validation
• Result: Access granted upon successful validation

Invalid TOTP Code

Reasons for invalid codes:

• Incorrect Code: User entered wrong digits
• Expired Code: Code is older than 30 seconds
• Clock Skew: Time difference between authenticator device and Eyeglass system
• Setup Error: Authenticator app not properly configured during enrollment

warning

Multiple failed TOTP attempts may indicate a security issue. Contact your administrator if you consistently experience validation failures.

Audit Logging

All 2FA-related events are logged in a dedicated log file for security auditing and compliance purposes.

Logged Events

The following events are recorded:

Event Code	Description	When Logged
2FA_SETUP_COMPLETE	User successfully completed 2FA enrollment	User successfully configured authenticator and verified first TOTP code
2FA_FAILED_SETUP	Enrollment process failed	Email delivery failed or setup process encountered errors
2FA_LOGIN_SUCCESS	Successful login with valid TOTP code	User successfully authenticated using 2FA
2FA_LOGIN_FAILED	Failed login attempt with invalid TOTP code	User provided incorrect or expired TOTP code

Log File Location

2FA events are logged to:

/opt/data/superna/sca/logs/apiaudit.log

Log Entry Format

Each log entry includes:

• Timestamp: Date and time of the event
• Event Code: Identifier for the type of event
• Username: User account associated with the event
• IP Address: Source IP address of the login attempt (if applicable)
• Result: Success or failure status
• Additional Details: Error messages or relevant context

Example Log Entries

2025-10-15T18:06:11,702 2FA_SETUP_COMPLETE user=jdoe@domain.com result=success
2025-10-10 14:45:22,567 2FA_LOGIN_FAILED user=jsmith@domain.com result=invalid_code
2025-10-10 15:01:45,163 2FA_LOGIN_SUCCESS user=bjones@domain.com result=success

Troubleshooting

Common Issues

Email Not Received

Symptoms: User does not receive enrollment email

Resolution:

1. Verify mail server is configured in Eyeglass
2. Check user's email address or UPN in Active Directory
3. Verify email is not in spam or junk folder
4. Contact administrator for manual enrollment assistance

TOTP Code Rejected

Symptoms: Valid code from authenticator app is rejected

Resolution:

1. Verify system time on Eyeglass appliance and user device are synchronized
2. Ensure Temporary login session is not expired. Refresh the page and submit login:password again
3. Ensure user is entering current code (not expired)
4. Try waiting for next code cycle (30 seconds)
5. If issue persists, re-enroll using administrator-assisted enrollment

User Excluded from 2FA

Symptoms: 2FA is enabled but user is not prompted for code

Resolution:

1. Verify user is not a local account (excluded by design)
2. Check if user has Administrator role (excluded by design)
3. Confirm 2FA is enabled globally using igls auth 2fa --command status

Clock Skew Issues

Symptoms: Codes consistently fail validation despite correct entry

Resolution:

1. Verify Eyeglass appliance system time using date command
2. Check NTP configuration for time synchronization
3. Verify user device time is accurate
4. Consider clock skew tolerance in TOTP validation (typically ±1 time window)

Best Practices

• Time Synchronization: Ensure all systems use NTP for accurate time
• User Training: Provide clear documentation and training for users on 2FA usage
• Testing: Test 2FA in a non-production environment before enforcing in production
• Monitoring: Regularly review 2FA audit logs for suspicious activity
• Email Reliability: Ensure mail server has high availability for enrollment process

Security Considerations

Password Requirements

2FA is a supplement to, not a replacement for, strong password policies:

• Maintain existing password complexity requirements
• Enforce regular password changes
• Do not relax password policies when 2FA is enabled

Device Security

Users should secure their authenticator devices:

• Use device lock screens (PIN, biometric, etc.)
• Keep authenticator app updated
• Do not share devices with 2FA configured
• Report lost or stolen devices immediately

Network Security

• Ensure HTTPS is used for all Eyeglass web interface access
• Consider implementing network-level access controls
• Monitor for brute force attempts on login endpoints

Compliance

2FA helps meet various compliance requirements:

• NIST 800-63B: Multi-factor authentication guidance
• PCI DSS: Payment card industry data security standards
• HIPAA: Healthcare information protection
• SOX: Financial reporting security controls
• ISO 27001: Information security management

Technical Implementation

Architecture Overview

The 2FA implementation consists of:

1. TOTP Library: Validates time-based one-time passwords using industry-standard algorithms
2. Authentication Module: Integrates TOTP validation into existing login flow
3. Enrollment System: Generates QR codes and setup keys for user enrollment
4. Email Integration: Sends enrollment instructions via configured mail server
5. Audit System: Logs all 2FA events to dedicated log file

TOTP Algorithm

The implementation follows RFC 6238 (TOTP: Time-Based One-Time Password Algorithm):

• Algorithm: HMAC-SHA1 (configurable to SHA256/SHA512)
• Time Step: 30 seconds (standard interval)
• Code Length: 6 digits
• Window: Typically allows ±1 time step for clock skew tolerance

Secret Key Generation

Secret keys are generated using:

1. User-specific data (username, email, unique identifier)
2. Cryptographically secure random data
3. Multiple encoding passes for security
4. AES encryption for storage

info

The secret key generation process ensures that secrets cannot be reconstructed or predicted, providing strong security for the 2FA implementation.

Migration and Adoption

Gradual Rollout Strategy

For organizations deploying 2FA for the first time:

1. Phase 1 - Testing: Enable 2FA in non-production environment

   • Test enrollment workflow
   • Verify authenticator app compatibility
   • Validate logging and audit capabilities

2. Phase 2 - Opt-In: Enable 2FA without enforcement in production

   • Allow users to voluntarily enroll
   • Gather feedback and address issues
   • Monitor adoption rates

3. Phase 3 - Communication: Educate users before enforcement

   • Provide training materials and documentation
   • Offer hands-on assistance for enrollment
   • Set clear enforcement date

4. Phase 4 - Enforcement: Enable 2FA enforcement

   • Require all eligible users to enroll
   • Monitor for enrollment issues
   • Provide helpdesk support for user questions

Communication Template

Example user communication for 2FA rollout:

Subject: Important: Two-Factor Authentication (2FA) Coming to Eyeglass

Dear Team,

To enhance the security of our Dell Cyberstorage Eyeglass environment,
we will be implementing Two-Factor Authentication (2FA) on [DATE].

What You Need to Do:

1. Install Google Authenticator on your mobile device
2. Log in to Eyeglass and complete the 2FA enrollment process
3. Keep your authenticator device secure and accessible

What to Expect:

- After entering your username and password, you'll be prompted for a 6-digit code
- This code will be generated by the Google Authenticator app on your device
- Codes refresh every 30 seconds

Need Help?

- Contact the IT helpdesk at [CONTACT INFO]
- Refer to the 2FA User Guide at [DOCUMENTATION LINK]

Thank you for helping us maintain a secure environment.

IT Security Team

Summary

Two-Factor Authentication using TOTP significantly enhances the security of Dell Cyberstorage Eyeglass by requiring a second authentication factor beyond username and password. The implementation:

• Supports Google Authenticator for TOTP code generation
• Provides flexible configuration via igls command-line interface
• Offers both self-service and administrator-assisted enrollment
• Enables comprehensive audit logging for compliance
• Excludes local and administrator accounts to prevent lockout scenarios

By implementing 2FA, organizations can significantly reduce the risk of unauthorized access while maintaining a user-friendly authentication experience.