Enabling user accounts for Two Factor Authentication

Enabling two-factor authentication for your ClientSpace installation redirects all your users to a login page for ClientSpace, regardless of their User Profile preference setting. If you have any questions about this or any other login function, log an Extranet case before making configuration changes.

Two-factor authentication (also known as 2FA ) is a method of confirming a user's claimed identity by using a combination of two different components. ClientSpace 2FA uses the standard username and password combination as the first factor, and a generated code sent to the user at authentication time as a second confirmation factor.

For details on configuring your ClientSpace authentication settings, see Configuring your ClientSpace authentication settings.

To configure user accounts for 2FA:

  1. Ensure that each user has a valid Email configured in their User Profile in ClientSpace.

  2. For users who want to receive authentication information by text, ensure they have a valid SMS Email configured in their User Profile (see SMS Email formats).

  3. If the user does not receive the authentication code in a timely fashion, check the configurations on the User Profile. Go to System Admin > Security > Authentication Settings.
    The Authentication Settings form opens.

  4. Complete the following fields:

TFA Code Length

The length of the 2FA authentication code that is generated for the user.

TFA Code Expiration Minutes

Authentication code expires after this number of minutes.

TFA Code Expiration Days

The number of days the 2FA Authentication code exists in the browser before automatic expiration and subsequent re-authentication of user. Note: If the user chooses the option to Delete Cookies when clearing their browser cache, the system cannot match the hashed codes and interprets this as an un-authenticated browser, prompting the user through the 2FA process.

  1. After the system is configured, when a user logs in, the ClientSpace username and password is validated as normal. Then the system checks to see if the user has a current 2FA security cookie cached in their browser.

  2. If the user does not have a valid 2FA cookie, the system:

    • Checks the user profile, and if the SMS Email is configured, attempts to send a 2FA authentication code to the configured email address (see SMS Email formats).

    • If SMS Email is not configured, the system sends an email to the primary Email of the user containing the authorization code.

    • After the user receives the authorization code, they can enter it into the security box, which creates a security token (system cookie) containing a hashed code separate from the session cookie created by logging in.

    • The cookie is checked against the current 2FA cookie stored in ClientSpace, and if the hashed codes match, the user is authenticated. The cookie lives in the browser for the length of time specified under System Admin > App Settings, at which point the cookie expires, and the user is prompted for 2FA again. Note: If the user chooses the option to Delete Cookies when clearing their browser cache, the system cannot match the hashed codes and interprets this as an un-authenticated browser, prompting the user through the 2FA process.

  3. If you are logged into Outlook with the Outlook Add-In enabled, you must close and re-open Outlook to allow the Add-In access to the Two Factor Authenticated browser session. Failure to do so causes an authentication error when using the Outlook Add-In.