Two-Factor Authentication

The data stored in the ADAM database is very valuable data. As such, you may wish to protect your account with two-factor authentication. Two-factor authentication is the same idea that many banks use to ensure that your transactions are genuine: when you initiate a payment or transaction, you are asked to get a code or approve the transaction from your phone. In this case, your phone is acting as your “second factor” in the authentication process.

This means that without your phone, someone cannot get into your bank account - or, once set up, your ADAM account.

ADAM’s two-factor authentication system works using an Authenticator App that can be installed on a mobile phone. This app generates time-based one time PINs which do not require airtime or data to operate once set up.

The Authenticator App

We recommend either “Authy” or “Google Authenticator”. These apps are available on both Android and iOS app stores. There are others that function equally well and, should you have a compatible time-based one-time PIN (TOTP) generator, you are welcome to use that.

Adding Two-Factor Authentication to your account

Once the app is installed on your phone, log into ADAM and visit Staff → Security Administration → Manage Two-Factor Authentication. If you have not yet set it up, ADAM will show you a QR-Code, similar to this:

Note that in the diagram above, we have intentionally obscured the QR code so that you cannot scan it! You must scan the QR code that appears on your screen!

Open the two-factor authenticator app that you installed and find and choose the option to “Add a new account”. The app will ask for the necessary permissions to access the camera and scan the code.

Once the code has been scanned, you should see a 6-digit number displayed on your phone screen with the “[School Name]’s ADAM” written near it. Here is what this looks like in the Google Authenticator app:

On the right, the “pie” indicates how long this code will remain valid for before a new one is generated. The code will change every 30 seconds, but will be valid for approximately 60 seconds.

Before your account will be protected, you have to confirm to ADAM that you have captured the code correctly in your authenticator app by providing a one-time PIN to confirm:

Click on the button at the bottom of the screen to confirm the PIN.

If you entered the confirmation PIN correctly, you will see this screen:

If you entered the OTP incorrectly, ADAM will display an error message:

Simply retry entering the PIN. If it fails again, you may need to re-scan the QR code.

Removing Two-Factor Authentication

Once you have added two-factor authentication, visiting Staff → Security Administration → Manage Two-Factor Authentication. If it is enabled on your account, you will see the following:

Click on the Remove Two-Factor Authentication option at the bottom to begin the process.

You must then enter your ADAM password to confirm that you’d like to remove Two-Factor Authentication from your account:

Once removed, ADAM will show the options to re-enrol your account in the Two-Factor Authentication setup. If you see this, then your account is no longer protected by Two-Factor Authentication

A Note on Removing Two-Factor Authentication

Please be aware that there is no synchronisation or communication between ADAM and the Two-Factor Authentication app that is installed on your phone. If you remove the code from your app, it does not remove Two-Factor Authentication protection from your account. If you remove the code from your app before you remove two-factor authentication from your account, you will no longer be able to log in. See what happens if you lose your phone below!

Similarly, if you remove the protection from your account, it does not automatically remove the code from your app.

Be aware that if you re-enable Two-Factor Authentication protection for your account, you will have to scan a new (different!) QR code which will add a new (different!) entry into your app to generate new (different!) codes. You cannot use the codes generated by an old entry. Please make sure that you remove any old entries that are no longer applicable to avoid confusion!

How do I log in if I’ve lost my phone?

You will need to visit your ADAM administrator who will be able to remove two-factor authentication from your account. You will then be able to log in normally without having to provide a Two-Factor Authentication OTP.

Again, note that if you choose to re-enable two-factor authentication on your account, you will need to scan a new QR code which will generate different OTPs to your old scan.

Setting up your server for Two-Factor Authentication

In order to allow staff members to make use of Two-Factor Authentication, staff require the privilege to Manage Two-Factor Authentication. In the privileges section, this can be found under the Staff Admin tab, under the heading Login.

An additional setting in the Site Settings controls when staff will be asked for their OTP on login. Within the Site Settings, navigate to the Security tab and look for the Login Settings heading. Undere here are three settings that are of relevance to Two-Factor Authentication.

These settings are applied to all users on the site who make use of Two-Factor Authentication.

The Two-Factor Authentication Window determines how many OTPs should be allowed on either side of the window. Because OTPs are time-based, discrepancies in the user’s cellphone time and server time can play a factor. In most scenarios, these two clocks should be independently set (phones by GPS, servers by network time servers (NTP)) and should be very close to one another. This might not always be possible. To increase the life-span of an OTP, increase the window. Each window represents 30 seconds. The default setting is 2 and will cause the server to check OTPs 2 windows ahead and 2 windows behind its current time to allow for time discrepancies. This can be increased to 6 (not advised) which effectively increases the lifespan of any OTP to 3 minutes.

The Two-Factor Authentication Method determines when users will be requested for their OTP. The default option is at every login, but this can be frustrating to users who make use of ADAM throughout the day. Other options are to remember it once per computer or once per computer per day.

If the “once per computer” option is chosen, then ADAM will ask for the OTP each time the user logs in on a new computer. Have a look at the Remember logged-in machines for setting. This means that ADAM will forget about a computer after a certain number of days and will automatically re-ask for the OTP when it does. Thus, users will be asked to enter their OTPs again on computers that they had previously authenticated to, but which ADAM now requires a re-authentication.

Note also, that ADAM uses cookies stored on the computers to remember them and if the cookies are cleared, ADAM will effectively see the computer as a new computer and ask the user for their OTP. Cookies are also specific to user sessions, browsers and more. Switching to a different web-browser also counts, in ADAM’s eyes, as a new computer.