A Multifactor administrator's personal account is required to control your resources, users and groups.
This short manual will help you to learn more about the functionality and will allow you to control the multifactor authentication service.
Changing the logo on the front page of your Personal account allows you to personalize your login page.
Contact details on the front page of your Personal account will be shown to users if there are any troubles with service usage. You may put your phone number and e-mail.
Resources can be of two types: web-site and VPN.
Operation with a web-site is carried out via API, and for authentication the API Key and API Secret are used. For VPN the operation is carried out using a Radius server, for authentication the NAS-Identifier and Shared Secret are required.
You can add the required resource type, and in the Settings section you can see the authentication data and you can edit the resource name or address.
In this section, it is possible to control the administrators of your system. Administrators have all the same rights as you have.
Upon administrator adding, he will receive the link for the fist login following which he can set a password and multifactor authentication.
The administrator's editing function allows him to change the login e-mail or the name. Any administrator, except yourself, can be blocked.
All the users are shown in this section.
By default, in this section all the users are added, which you forwarded to two-factor authentication, but you can also add the user manually.
Upon user adding, you can enter its name and login in your system, set his affiliation to one or another group of users. At that, all automatically created users are included in the system group "All users".
For the users without an explicit name, we transfer nicknames from Telegram, if this authentication method is activated for such users.
Upon review of the user account, you can see his registration data, last login time, status and setting of access, including available authentication methods. The user can be blocked or deleted if you don't want him to authenticate using Multifactor.
You can send to the user a link for authentication setup, if he, for some reason, did not set multifactor authentication before.
User accesses configuration is carried out with the help of editing the access rules for groups.
By default, one system access group "All users" is accessible to you. This group includes all new users created automatically.
Upon creation or editing the group you can mention:
- its name
- access token lifetime
- choose authentication methods available for this group of users (it shall be available at least one method)
- mention resources to which this group shall have an access
- Ip addresses or the whole sub-networks from which we will allow access
- days of the week, during which the access is allowed for this group
In this section the system administrator can see all the access requests from the users
You can use the filter function for convenient tracking of definite user accesses, resources you are interested in or for the definite time period.
In the detailed information about access request you can see the resource to which the user got access, which authentication method was used, the time of authorization request, register of the device from which the request was sent, IP address and geolocation.
The administrator can allow user access without authorization. To do that, you shall browse to the details of the request with the status "Authentication is waiting". This method can operate if only the token lifetime is not over, and the user did not close the authentication screen.