The Web Manager uses a time-based one-time password (TOTP) to secure a user’s login.
TOTP uses the current time as a source of uniqueness and a secret key to generate a one-time password as described in RFC 6238.
There are numerous applications to generate a TOTP:
Google Authenticator (Android, iOS)
FreeOTP (Android, iOS)
Authy (Android, iOS, Desktop)
authenticator.cc (Chrome, Firefox, Edge)
TOTP Authenticator (Chrome, Android, iOS)
The secret key can be transferred to the TOTP generator app by hand or by scanning a QR code.
Underlying Concept
To establish TOTP authentication, the authenticatee and authenticator must pre-establish the following parameters:
A cryptographic hash method
A secret key, which is an arbitrary byte string, and must remain private
A value length
T0, the Unix time from which to start counting time steps (default is 0)
TX, an interval which will be used to calculate the value of the HTOP counter (default is 30 seconds)
These parameters are used to generate a time-based version of HOTP (HMAC-based one-time password) with a time component in place of the HTOP counter.
Both the authenticator and the authenticatee compute the TOTP value, then the authenticator checks whether the TOTP value supplied by the authenticatee matches the locally generated TOTP value. Authenticators usually allow values that should have been generated before or after the current time in order to account for slight clock skews, network latency and user delays.
Enabling two factor authentication
Two factor authentication can be enforced for all users (except super administrators) via the Web Manager configuration:
When two factor authentication is enforced, a user is prompted to setup TFA upon next login.
A user can opt-in to TFA at any time using the user config of the Web Manager.
As soon as the verification code is confirmed, TFA is enabled and required for any succeeding login attempts.