Configuring two-step verification for all users

This scenario describes how to enable two-step verification for all users and how to exclude user accounts from two-step verification. If you did not enable two-step verification for your account before you enable it for other users, the application opens the window for enabling two-step verification for your account, first. This scenario also describes how to enable two-step verification for your own account.

If you enabled two-step verification for your account, you may proceed to the stage of enabling of two-step verification for all users.

Prerequisites

Before you start:

Make sure that your user account has the Modify object ACLs right of the General features: User permissions functional area for modifying security settings for other users' accounts.
Make sure that the other users of Administration Server install an authenticator app on their devices.

Stages

Enabling two-step verification for all users proceeds in stages:

Installing an authenticator app on a device
You can install any application that supports the Time-based One-time Password algorithm (TOTP), such as:
- Google Authenticator
- Microsoft Authenticator
- Bitrix24 OTP
- Yandex Key
- Avanpost Authenticator
- Aladdin 2FA
To check if Open Single Management Platform supports the authenticator app that you want to use, enable two-step verification for all users or for a particular user.

One of the steps suggests that you specify the security code generated by the authenticator app. If it succeeds, then Open Single Management Platform supports the selected authenticator.

We strongly do not recommend installing the authenticator app on the same device from which the connection to Administration Server is established.
Synchronizing the authenticator app time with the time of the device on which Administration Server is installed
Ensure that the time on the device with the authenticator app and the time on the device with the Administration Server are synchronized to UTC, by using external time sources. Otherwise, failures may occur during the authentication and activation of two-step verification.
Enabling two-step verification for your account and receiving the secret key for your account
After you enable two-step verification for your account, you can enable two-step verification for all users.
Enabling two-step verification for all users
Users with two-step verification enabled must use it to log in to Administration Server.
Editing the name of a security code issuer
If you have several Administration Servers with similar names, you may have to change the security code issuer names for better recognition of different Administration Servers.
Excluding user accounts for which you do not need to enable two-step verification
If required, exclude user accounts from two-step verification to allow them to sign in to Administration Server even if they have not configured two-factor authentication. Excluding accounts from two-factor authentication may be necessary for integration accounts that cannot provide a security code during authentication. Integration accounts are used to run scripts through the OpenAPI.
Configuring two-step verification for your own account
If the users who require access to Administration Server are not excluded from two-step verification and two-step verification is not yet configured for their accounts, they need to configure it in the window that opens when they sign in to OSMP Console. Otherwise, they will not be able to access the Administration Server in accordance with their rights.
Prohibition of new users from setting up two-step verification for themselves
To further enhance access security to OSMP Console, after all users who require access to Administration Server have configured it, you can prohibit new users from setting up two-step verification for themselves.

Results

Upon completion of this scenario:

Two-step verification is enabled for your account.
Two-step verification is enabled for all user accounts of the Administration Server, except for user accounts that were excluded.