Configuring Two Factor Authentication

Two-factor authentication (2FA) provides extra security for OpenKM logins. In addition to the typical login and password, once the user is authenticated, the user will be asked for an extra six-digit code generated in a mobile application called Google Authenticator.

Compliance

The two-factor authentication implements two-step verification using HOTP/TOTP. Also known as a one-time password.

It has been tested with:

It should work with other applications such as:

Prerequisite

Because two-factor authentication has been implemented using Google Authenticator, it is necessary to download and install the application from Google Play or the Apple App Store.

https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

Once installed and configured, this application does not even need an Internet connection.

OpenKM configuration

Each user can configure their own account to use 2FA. To do so, they have to go to Tools > Preferences > User Configuration.

If 2FA is enabled by the administrator, at the bottom of the User Configuration dialog you will be able to see a new option 2FA. Depending on whether 2FA is enabled you will see:

  • Disable button: if 2FA has already been configured for this user.
  • Enable button: if 2FA has not been configured yet.

If you click on the Enable button, a new window with the following parameters will appear:

  • The current user ID to be configured.
  • A QR code which you should scan using the Google Authenticator application.
  • A text box where you have to write the verification code generated by Google Authenticator (once the QR code has been scanned).

Once you have completed these steps, please click the Accept button.

Scan QR code

To scan the QR code, open Google Authenticator on your mobile and perform the following steps:

  1. Click on Configure account.
  2. Select Scan code.
  3. Focus your mobile toward the QR image on the screen.
  4. Once the image is properly scanned, the account for OpenKM is added.
  5. Now you will see a square with a number (code) which you will have to enter when required.

These generated codes are time-based: they will expire every 60 seconds. If you pay attention to the Google Authenticator screen, you will see how the code changes periodically. 

Google Authenticator use

Once 2FA is configured on your OpenKM account, the next time you log into OpenKM, after your login and password are verified, a new screen will appear where you will be required to enter a code obtained from the Google Authenticator application you configured previously.