Two-Factor Authentication

The data stored in the ADAM database is very sensitive data. To help protect this data, ADAM allows you to protect your account with Two-Factor Authentication (2FA). Two-factor authentication is used by many banks to ensure that your transactions are genuine: when you initiate a payment or transaction, you are asked to type in a code (a “one-time-PIN”) or approve the transaction from your phone. The code, or the approval from your phone, is known as the “second factor” in the authentication process.

An account protected with Two-Factor Authentication will not allow a login without the one-time-PIN.

ADAM’s two-factor authentication system works using a third-party Authenticator App that can be installed onto your mobile phone. This app will generate the one time PIN. After it has been set up, the app will not require any airtime or data to use.

NB: 2FA is automatically enforced for all elevated privilege accounts. Schools can optionally require that all staff make use of 2FA.

Supported Authenticator Apps

You can use most popular authenticator apps. Popular ones include Google Authenticator (by Google LLC), Microsoft Authenticator (by Microsoft Corporation), or Twilio Authy Authenticator (previously simply “Authy”).

All of these apps are available for download from your preferred app store. Please check that the apps are the ones released by the publishers listed above. If your school makes use of Google Workspace, we recommend using the Google Authenticator. If your school makes use of Microsoft 365, we recommend using Microsoft Authenticator.

Adding Two-Factor Authentication to your account

First, download and install an authenticator app from your app store.

Visit your ADAM login screen and login as normal.

If you are forced to add 2FA to your account, you will immediately be taken to the following screen when you log in to set up your 2FA.

If you are enabling 2FA voluntarily, visit Staff → Security Administration → Manage Two-Factor Authentication.

If you have not yet set it up, ADAM will show you a QR-Code, similar to this:

Note that in the picture above, we have intentionally obscured the QR code so that you cannot scan this example! You must scan the QR code that appears on your screen!

Open the two-factor authenticator app that you installed and find and choose the option to “Add a new account”. The app will ask for the necessary permissions to access the camera and scan the code.

Once the code has been scanned, you should see a 6-digit number displayed on your phone screen with the “[School Name]’s ADAM” written near it.

Here is what this looks like in the Google Authenticator app:

The code will change every 30 seconds, but ADAM will allow some grace if you are not able to type the number in fast enough before it changes. There is normally an indicator to show how long until the code changes.

Before your account will be protected, you have to confirm to ADAM that you have captured the code correctly in your authenticator app by providing a one-time PIN to confirm. Type it in to the Confirmation Code block.

Click on the button at the bottom of the screen to confirm the PIN and add 2FA to your account.

If you entered the confirmation PIN correctly, you will see this screen:

If you entered the OTP incorrectly, ADAM will display an error message. Simply retry entering the PIN. If it fails again, you may need to re-scan the QR code.

Removing Two-Factor Authentication

Once you have added two-factor authentication, you can remove 2FA by visiting Staff → Security Administration → Manage Two-Factor Authentication. If it is enabled on your account, you will see the following:

Click on the Remove Two-Factor Authentication option at the bottom to begin the process.

You must then enter your ADAM password to confirm that you’d like to remove Two-Factor Authentication from your account:

Once removed, ADAM will show the options to re-enrol your account in the Two-Factor Authentication setup, including a new QR code. If you see the QR code, then your account is no longer protected by Two-Factor Authentication.

Note that if you make use of an elevated privilege account or if your school requires everyone to make use of 2FA, you will immediately be required to re-enroll after removing the 2FA protection.

A Note on Removing Two-Factor Authentication

Please be aware that there is no synchronisation or communication between ADAM and the Two-Factor Authentication app that is installed on your phone.

A:\Users\Philip\AppData\Local\Microsoft\Windows\INetCache\Content.Word\big_warning_11.pngIf you remove the code from your app, it does not remove Two-Factor Authentication protection from your account. If you remove the code from your app before you remove two-factor authentication from your account, you will no longer be able to log in.

Similarly, if you remove the protection from your account, it does not automatically remove the code from your app.

If you lose your phone or are unable to generate an OTP for whatever reason (perhaps your battery is flat), only your ADAM administrator can remove the 2FA protection from your account.

Be aware that if you re-enable Two-Factor Authentication protection for your account, you will have to scan a new (different!) QR code which will add a new (different!) entry into your app to generate new (different!) codes. You cannot use the codes generated by an old entry. Please make sure that you remove any old entries that are no longer applicable to avoid confusion! Most apps will offer to replace the old entries as you scan the new one.

How do I log in if I’ve lost my phone?

You will need to visit your ADAM administrator who will be able to remove two-factor authentication from your account. You will then be able to log in normally without having to provide a one-time-PIN.

Again, note that if you choose to re-enable two-factor authentication on your account, you will need to scan a new QR code which will generate different OTPs to your old scan.

If you are the ADAM administrator from your school and you lose your phone and are therefore unable to login to ADAM, you will need to contact us for support. We will then need to perform a manual verification process to ensure that your request is genuine.

Setting up your ADAM server for Two-Factor Authentication

2FA is ready to be used by any individual staff member and no additional setup is required. However, it is possible to force that 2FA is used by all staff and some other settings that control how often the OTP is requested.

Forced Use of 2FA

Administrators can force all staff members to make use of Two-Factor Authentication by changing a setting the Site Settings. Within the Site Settings, navigate to Security tab and scroll down to the Login Settings heading.

Change the setting Two-Factor Authentication Forced For Staff to “Yes” and save the Site Settings.

Changing How Frequently is the OTP required

The Two-Factor Authentication Method determines when users will be requested for their OTP. The default option is at every login, but this can be frustrating to users who make use of ADAM throughout the day. Other options are to remember it once per computer or once per computer per day.

If the “once per computer” option is chosen, then ADAM will ask for the OTP each time the user logs in on a new computer. Have a look at the Remember logged-in machines for setting. This means that ADAM will forget about a computer after a certain number of days and will automatically re-ask for the OTP when it does. Thus, users will be asked to enter their OTPs again on computers that they had previously authenticated to, but which ADAM now requires a re-authentication.

  1. Require OTP at every login: If this is set, your staff members will have to enter their OTP each time they log into ADAM. This is very secure, but can also be frustrating for your staff, especially for those that use it many times per day.
  2. Require OTP once per computer: This setting is possibly the least secure of the three methods. Whenever ADAM detects that a user is using a new computer, it will ask them for an OTP. If they are using a computer that they’ve used in the past, ADAM won’t ask them for an OTP. This is normally fine for users who have dedicated computers that they alone use. Note that ADAM may still ask for an OTP from time-to-time, but it may be as infrequently as once per month.
  3. Require OTP once per computer per day: ADAM will ask the users once each day on each device that the user logs in with for their OTP. This is the best balance between security and usability without frustrating users too much.

Note also, that ADAM uses cookies stored on the computers to remember them and if the cookies are cleared, ADAM will effectively see the computer as a new computer and ask the user for their OTP. Cookies are also specific to user sessions, browsers and more. Switching to a different web-browser also counts, in ADAM’s eyes, as a new computer.

An additional setting in the Site Settings controls when staff will be asked for their OTP on login. Within the Site Settings, navigate to the Security tab and look for the Login Settings heading. Undere here are three settings that are of relevance to Two-Factor Authentication.

These settings are applied to all users on the site who make use of Two-Factor Authentication.

2FA Authentication Windows

The Two-Factor Authentication Window determines how many OTPs should be allowed on either side of the window. Because OTPs are time-based, discrepancies in the user’s cellphone time and server time can play a factor. In most scenarios, these two clocks should be independently set (phones by GPS, servers by network time servers (NTP)) and should be very close to one another. This might not always be possible. To increase the life-span of an OTP, increase the window. Each window represents 30 seconds. The default setting is 2 and will cause the server to check OTPs 2 windows ahead and 2 windows behind its current time to allow for time discrepancies. This can be increased to 6 (not advised) which effectively increases the lifespan of any OTP to 3 minutes.

Removing Two Factor Authentication for a staff member

If a user is enrolled for Two Factor Authentication, they can remove 2FA authentication by navigating to Staff → Security Administration → Manage Two Factor Authentication and then clicking on the Remove 2FA option next to their name in the list.

A:\Users\Philip\AppData\Local\Microsoft\Windows\INetCache\Content.Word\big_warning_11.pngNote that if 2FA is reinstated by a user after being removed, their app will have to be updated with a new QR Code. ADAM does not allow a previous code to be used. The code should be removed from the 2FA app when 2FA is disabled from the account.

Troubleshooting 2FA and OTPs

The most common issues arise from the fact that the OTP is time-based.

If, for example, there is a delay in entering the OTP, the OTP may expire. Although the OTP changes every 30 seconds, ADAM will allow an OTP to be used for a short while after it disappears from the app. This is to help offset the any potential differences in clocks between the phone and the server.

Because the OTPs are time-based, it is important that the server and the phone both have accurate time of day set. Most phones have their time set via their GPS chips and so are normally accurate within a second. Servers should be synchronised to an internet time server and be configured with the correct timezone and are similarly normally accurate within a second.