* Note: this document is for admin users. If you’re an end user and want to enable two-factor authentication, please read How to enable two-factor authentication for a user.
Using Two-factor (or Two-step) Authentication in Team Password Manager will increase the security of your Team Password Manager installation because it requires users to enter an additional one-time passcode known only by them.
Google Authenticator
Team Password Manager uses Google Authenticator for two-factor authentication. Google Authenticator is a free app available to iOS, Android and other systems that generates unique one-time passcodes every 30 seconds. Team Password Manager generates QR codes that Google Authenticator can scan to configure two-factor authentication for a user.
Here are the links for the Google Authenticator app for iOS and Android devices:
- Google Authenticator for iOS (iPhone, iPod touch, and iPad):
- Google Authenticator for Android devices:
Requirements
If you want the users of your Team Password Manager installation to use two-factor authentication, there are 4 requirements:
- You need to have version 2.0.1 of Team Password Manager (at least). Previous versions do not support two-factor authentication.
- The server where Team Password Manager is installed must have its internal clock syncronized, so that the one-time token generated by the Google Authenticator app stays in the same 30 second interval of your server. You can use
ntp
in Linux systems to keep the server clock synchronized. Please see this Wikipedia article on the subject: . - Your users must have a Google Authenticator compatible device.
- The PHP GD Library (GD2) (See ). This is only required for generating the QR codes needed to configure two-factor authentication. It's not required to execute Team Password Manager and the installer doesn't check if it's installed. You can still configure two-factor authentication without QR codes, but it's much easier with them.
Enabling or disabling two-factor authentication for all users
Team Password Manager comes with two-factor authentication enabled for all users by default. If you want it disabled for all the users, go to Settings, click on the “Two-factor authentication” tab and click on the button labeled “Disable Two-factor authentication”.
To re-enable it again, click on the “Enable Two-factor authentication” button on the same tab.
You’d want to disable two-factor authentication for all users in case something is wrong with your server. Example: your server’s clock is not synchronized (your users’ tokens would not be valid).
Enabling two-factor authentication for a user
With your admin account you cannot enable two-factor authentication for a specific user. To enable two-factor authentication for a user, the user must sign in into Team Password Manager with his/her credentials and follow the procedure outlined in this document:
You should follow this procedure for your admin user if you want two-factor authentication enabled for your user.
Disabling two-factor authentication for a user
Users with two-factor authentication enabled have a 2FA blue label in the user’s list and on their screens:
As admin, you can disable two-factor authenticator for a user by clicking on the “Disable two-factor authentication” button on the user screen.
You’d want to disable two-factor authentication for a user in case the user loses his Google Authenticator device, or has it stolen.
Enforcing two-factor authentication on all users
Two-factor authentication can be enforced on all users by clicking the button "Enforce two-factor authentication on all users" in the Two-factor authentication tab in settings.
When two-factor authentication is enforced, users that do not have two-factor authentication enabled will be directed to the "Enable Two-Factor Authentication" screen the next time they sign in. They will not be able to do anything in Team Password Manager until they have enabled two-factor authentication for their account.
Since version 4.47.94, a user with Admin or IT role can be defined as exempt from this enforcement:
Troubleshooting
See also the troubleshooting section in this document:
1. Two-factor authentication was working, but it suddently it has stopped working. Users are getting wrong codes and can’t authenticate.
The most probable reason for this is that the server’s clock has gone out of sync. This can be caused by multiple reasons, but the most probable is that ntp
(or the system you’re using for synchronization) doesn’t have access to external servers. You should check your server’s networking system, its firewall, and so on.
In this case, you should temporarily disable two-factor authentication for all the users until the reason is found and corrected.
2. I’m an admin user and I can’t sign in into Team Password Manager because two-factor authentication is not working.
In this case you must disable two-factor authentication for your user “manually”. To do this you need access to Team Password Manager’s MySQL database. Do this:
- Login into MySQL with Team Password Manager’s database credentials.
- Locate your user in the
wmm_users
table. - Set the
dak
field for your user to NULL.
You now have two-factor authentication disabled for your user and you can sign in into Team Password Manager with your username and password.
3. My server's clock is synced using ntp and so are my users' smartphones, but some users still get wrong codes.
Before version 4.47.94 Team Password Manager verified that the server and the smartphones were in the same 30 seconds window. In some cases, this was too strict and a margin of 1 minute has been allowed since then. This margin has also made configurable. See the
setting.If your Team Password Manager version is lower than 4.47.94 we recommend you upgrade it.
A note about password reset
Versions prior to 2.12.30 disabled two-factor authentication for a user when the user did a password reset. Beginning with version 2.12.30 this changes: when the user does a password reset, first the user is asked for the two-authentication code and then he/she can do the password reset. Also, two-factor authentication is not disabled for the user.