gControl 2-Factor Authentication Settings
Google provides 2 factor authentication mechanism, where in user gets a one time password every time while logging in. But this feature does not work with SSO solution. If you want to use a SSO solution, you have to disable Google’s 2 step verification. gControl being a SSO solution, what happens to people who are looking for a 2 step kind of a security? Well gControl does answer this concern and provides couple of ways of achieving 2 step verification.
gControl 2-Factor Authentication features
-
Block unauthorized access to user’s corporate account.
-
Enhance security layer of user’s corporate account .
-
Admin can set enforcement the feature selectively for users.
-
Admin can manage both smartphone and non smartphone users.
-
Provides both SMS based and Google authenticator based solution.
Two Factor Policies
To get started with creation of policy, go to gControl control panel, and select 2-Factor Authentication option from the quicklinks menu on right. You will see the following screen
Click on Add policy to get started with creating policy for your users.
Fill in the policy details.
-
You need to buy the credits from one of the provider that is listed here and provide the details in the screen as shown above. We support two sms provider Plivo and Clickatell. You can select one of them and fill the relevant information and click on save.
-
Google Authenticator: Two Factor Authentication now supports Google Authenticator. User will have to install google authenticator on their smartphone. Google provides Android, BlackBerry and iOS versions of Authenticator. Several third party implementations are also available. Admin can enforce to install google Authenticator on user mobile. User need to put the unique secret key displayed on the bottom of the page into the authentication application installed on handheld device. If the user does not have Google Authenticator in their device then they need to install this from Google Play Store. Once done with installing Google Authenticator, user need to put passkey or code which is generated from Google Authenticator into the box & click on “Login”. User will be logged into their corporate account without any hassle.
-
Type: You need to select whether your policy is User based or Organization Unit Based. Based on the option selected, the add user section will allow you to add users to the policy. Please note a policy can either be user based or OU based. Once saved, type cannot be changed.
-
Add Users: This section is dependent on the option selected in the previous option (Type).
-
User Based: You can apply policy to specific users. In this case the message is shown only to the users on whom the policy is applied.
- Organization Unit Based: Simpler way of applying policy on bulk users. This will apply policy on the Organization units created in Google apps.
-
Save Device: This applicable only for Google Authenticator option. If Admin checks this option, user gets an option to save the device (browser is treated as a device. Change in browser would mean a new device).
-
Expiration: The number set here would be the number of days after which user will be asked for the 2 factor code after saving the device.
-
Enforce: Admin would be given 3 ways of enforcing the policy. These are explained in the policy screen as shown below
Note : Deleting a user or its policy does not delete the user's registration on Google Authenticator. You will have to explicitly delete it from Registered Devices Management Section.
Registered Device Management
In the create policy screen, we have another tab to manage the registered devices. Register device management tab displays the users who have registered for Two Factor Authentication with Google Authenticator. You can un-register a user from gControl Two Factor by deleting the user's registration. Deleting a user's registration will delete Google Authenticator registration, IP Address registration(if any) and Saved devices(if any). Import CSV button can be used to delete registrations for multiple users by uploading a csv with the list of user emails IDs you would like to delete.