Two-Factor Authentication

• Table of Contents
• Introduction
• Code re-use
• Configuration in User Interface
• Configuration in Configuration File
• GreenArrow Studio

Introduction

Each Engine User and each Studio User can have Two-Factor Authentication (2FA for short) enabled. 2FA offers an extra layer of security, requiring more than knowledge of a single password to gain access to your account.

GreenArrow supports the Time-based one-time password algorithm. This algorithm involves a shared secret known only to GreenArrow and your secured authentication app (e.g. 1Password). The shared secret is transmitted over the Internet only a single time – at the time of configuration. Subsequently, when signing into GreenArrow, a new One-Time Password is generated to verify that you are in posession of the shared secret.

Once 2FA is configured, GreenArrow will require your second form of authentication to gain access to GreenArrow’s user interface. GreenArrow never requires 2FA authentication for access to the following:

• Message injection
• GreenArrow Engine API
• GreenArrow Studio API

Code re-use

When a one-time password is used, it cannot be reused. This means that if a user quickly signs in, signs out, and attempts to sign back in – they might “beat” the 30 second clock upon which the one-time password is generated. In this case, the user should wait for a new one-time password and retry.

Configuration in User Interface

If define_engine_users_in_config_file is not enabled, you can configure 2FA in GreenArrow’s admin user interface.

Enabling 2FA configuration

In order to add 2FA to a user, you must be signed in as that user.

1. Navigate to the “Manage My Account” section of the “Configure” menu.
   • This is also available by clicking your email address in the menu bar.
2. Click “Enable two-factor authentication” and follow the instructions on the form.

Removing 2FA configuration

A user can remove their own 2FA.

1. Navigate to the “Manage My Account” section of the “Configure” menu.
   • This is also available by clicking your email address in the menu bar.
2. Click “Remove two-factor authentication” and confirm the prompt.

If a user loses their authentication or otherwise wants to remove 2FA from their account, you can accomplish this in the user interface. Any user with “Full access” to the user interface can remove 2FA from any user.

1. Navigate to the “Users” section of the “Configure” menu.
2. Click “View” on the user for which you want to remove 2FA configuration.
3. Click “Remove two-factor authentication” and confirm the prompt.

Configuration in Configuration File

If define_engine_users_in_config_file is enabled, you can configure 2FA in the greenarrow.conf configuration file. This is accomplished by adding the engine_user_otp_secret directive to any users for which you want to enable 2FA.

GreenArrow Studio

GreenArrow Studio also supports Two-Factor Authentication.