Two-factor Authentication Set Up

12d Synergy optionally allows the users to login via two-factor authentication that is set up by the 12d Synergy Administrator. The 12d Synergy Administrator can choose to provide the second level of authentication via email or a secondary device to all users or specific users. 

Two-factor authentication provides additional protection for your server by performing a two-level verification while accessing the application. The two levels of verification are as follows:

1. A correct username and password.
2. A one-time password (OTP) that is provided by either an email or by registering a secondary device with a Third-Party Authenticator application such as Microsoft Authenticator or Google Authenticator.

If your username and password are compromised, your data is still secure as the external party does not have access to the OTP.

Your 12d Synergy Administrator can apply the two-factor authentication feature either to all users globally or handle it on a per-user basis. 

1.1. How to Enable Two-Factor Authentication for All Users

1. In the 12d Synergy Administration application, select the Users tab > Two Factor Authentication tab.
   
   
   
2. Do one of the following: 
   • Select the Per User option to enable the 12d Synergy Administrator to set a user-specific two-factor authentication system.
   • Select the Email For All Users option to enable all users to receive the authentication code via email.
   • Select the Mobile Device For All Users option to enable all users to receive the OTP via an Authenticator application installed on their mobile device.
   • Select the Disabled option to disable the two-factor authentication system for all users
3. Select the number of days you want the system to remember the authentication from the Days to remember authentication list. After the selected number of days is over, you will have to perform the two-factor authentication again to access the system.
4. If there is a difference between the time on the system on which the Client is running and the time on the secondary mobile device, then allow for an extended time frame for keying in the OTP by choosing the time blocks in the Number of blocks for verification list.
   
   
   • Third party authenticators use time to generate one-time passwords. This means the mobile device time and the server time must be closely aligned or the user may not be able to sign in. This can be adjusted by changing the verification time blocks
   • Each time block is a frame of 30 seconds. Calculate the time blocks needed based on the time difference between the time on the system on which the Client is running and the time on the secondary mobile device. The user can key in the code within the time frame chosen, which is the number of blocks times 30 seconds.
   • The more time blocks you allow, the greater the security hole as it allows a lag between OTP generation and usage. A very large time window may allow anyone to copy the OTP if they gain access to a user’s device and log in at a later date. 
   • By default, the Number of Blocks for Verification list is set to 10. It is a good practice to set the Number of Blocks for Verification to a maximum of 20 which is 10 minutes.
   • You should sync your server and secondary devices with the same Time Server, such as the Microsoft Time Server. This way the time on both the devices will be the same and you can allow lesser blocks of time for verification. Thus, making the system more secure.

1.2. How to Enforce Two-factor Authentication for Specific Users

1. In the 12d Synergy Administration application, select the Users tab > Find tab.
2. Perform a search for the required user by entering the necessary parameters and click the Find button.
   The Edit Users window is displayed with the user(s).
   
   
   
3. Select the required user(s) and click the Edit button.
   The Edit a User window is displayed.
4. Click the Two Factor Authentication tab.
   
   
   This tab is disabled if you are an SSO user.

   
   
5. Do one of the following:
   • Select the Disabled option to permit the user(s) to log in without the two-factor authentication.
   • Select the Email option to enable the user(s) to log in with two-factor authentication by receiving the OTP via email.
   • Select the Mobile Device option to enable the user(s) to log in with two-factor authentication by receiving the OTP via a secondary device.
6. Click the Save button.
   The two-factor authentication settings are saved for the user(s).

1.3. How to Change the Registered Secondary Device

1. In the 12d Synergy Administration application, select the Users tab > Find tab.
2. Perform a search for the required user by entering the necessary parameters and click the Find button.
   The Edit Users window is displayed with the user(s).
3. Select the user for whom the secondary device needs to be changed and click the Edit button.
   The Edit a User window is displayed.
4. Click the Forget Registered Device button.
   The selected user’s registered device for two-factor authentication is disabled and the user is logged out of the 12d Synergy Client application. You can then register a new secondary device for two-factor user authentication.
   
   • In case a user needs to forcefully log off the 12d Synergy Client application, then the 12d Synergy Administrator can click the Force Log Out button in the Edit a User window for the specific user.
   • Whenever a change is made to any of the two-factor authentication settings, you will be prompted to enter an OTP. The OTP is sent to you either on your secondary device or on your email, based on your two-factor authentication settings.