Two Factor Authentication (2FA)
|This feature is currently only available upon request for customers on our Essential and Comprehensive plans. Please contact your Airship Account Manager to enable this setting on your account.|
The purpose of this document is to do the following:
- Describe what 2FA is
- Provide recommendations on the rollout
- Provide best practice advice on how to use/enforce 2FA
- Describe the various levels of 2FA entitlements available & items needed to enable it
- Explain common problems and solutions when using 2FA
What is 2FA?
2FA, or Two Factor Authentication is a greatly enhanced user authentication method that you can enable on your Airship account.
Wikipedia defines 2FA as "a method of confirming a user's claimed identity by utilizing a combination of two different components. Two-factor authentication is a type of multi-factor authentication."
We recommend using 2FA to increase security of your login account.
Successful rollouts of 2FA require some initial setup on your end before implementing 2FA. You will need to distribute an authentication app such as Google Authenticator, LastPass or 1Password for your users that will use 2FA. These apps will display the current 6 character login code that your users will use to log in each time.
- Authenticator app such as Google Authenticator, LastPass, or 1Password
- Identify your 2FA Admin / Pilot team
- Your Admin / Pilot team will be the first users from your organization to trial the 2FA process.
- Admin / Pilot team members are responsible for educating others on the 2FA workflow and how/where to store recovery codes according to your Organization's security policies.
- Admin / Pilot team members must be comfortable troubleshooting login issues.
- Admin / Pilot team members will be your organization's first contact with login issues that can often be self solved by using recovery codes that your users should be storing in the event that they forget their password.
- Your admin / Pilot team will also be the only team members authorized to submit 2FA account resets to firstname.lastname@example.org.
- Requests made from anyone else will be denied and redirected to Admin / Pilot team members.
- Each member will need to provide their email and phone number(s).
- Once your admin team is successfully enrolled and using 2FA, AND have completed a successful account recovery, you are ready for Organizational wide rollout.
When you have the Rollout Requirements met and are ready to turn on 2FA for your Admin / Pilot team, please email email@example.com with the account names that you would like to enable 2FA.
Once Airship has enabled 2FA on your account, you will see a new Two Factor Menu item under your Account settings. It will then be up to the user to enable 2fa and set up their new login with 2fa.
Please see the following documentation pages on setting up 2FA on your account: Two-Factor Authentication
Best practices on how to use/enforce 2FA
Prior to enabling 2FA, the 2FA Admin team must educate your 2FA users on the following:
- What 2FA is
- The apps that are required for 2FA (Google Authenticator, Lastpass Authenticator, etc..)
- Where to store recovery codes:
- Provide several recommendations on how to store (ex: in users's password manager, google drive, dropbox, etc…)
- Stress that codes must be stored somewhere that can be accessed by multiple devices
- Provide example scenarios that require access to recover codes (Ex: new phone, laptop stolen, etc…)
Levels of 2FA entitlements
Airship offers two tiers of 2FA. There are two options of enabling 2FA listed below. Those who want 2FA required for their entire company will begin at the Individual level and can move to Company level after a predetermined implementation timeline.
This will reveal the Two-Factor option under a user’s account where they can turn 2FA on.
The user will need to turn this on themselves. No enforcement can be done on Airship’s side to force enrollment.
This is a needed first step if a company plans to require 2FA usage for everyone.
Company level 2FA
This option will immediately force all users to setup 2FA. Should an employee become locked out and not have their recovery codes, they will contact a member of the 2FA Admin team who will be authorized to make such requests. Requests for 2FA resets will then be sent to Airship’s support team. It is important to note that the employee will be locked out until the request can be processed.
It is imperative that all employees are educated on the importance of storing recovery codes somewhere accessible by multiple devices before 2FA is enabled company wide. Otherwise your team runs the risk of being overwhelmed with requests. The most common issues that are seen are:
- Recovery codes are not recorded
- Recovery codes are stored on a single device that gets upgraded or destroyed unexpectedly.
- The phone’s internal clock is not sync’d properly so every code that is entered appears to be invalid.