Two-Factor Authentication
Two-Factor Authentication (2FA) provides a more secure method to log into and access ESET PROTECT Web Console. Users with 2FA enabled will be required to log into ESET PROTECT On-Prem using ESET Secure Authentication or a third-party authenticator.
•There is no limit to the number of users who can log into ESET PROTECT On-Prem via 2FA.
•HTTP Proxy settings are not applied for communication with Two-Factor Authentication (2FA).
•You can enable 2FA also for the Administrator account.
Prerequisites
•To enable 2FA for another user, the current user needs the Write permission over that user. When 2FA is enabled, a user needs to configure 2FA themselves before logging in. Users will receive a link via text message (SMS), which they can open in their phone's web browser to view instructions for configuring 2FA.
•2FA does not work without direct network access to ESET 2FA servers. Allowing at least specific 2FA servers in the firewall is necessary. If the proxy is set up in the More > Settings > Advanced Settings > HTTP Proxy, it does not apply for the 2FA.
Enable Two-Factor Authentication for a Web Console user
1.Create a new user or use an existing one.
2.Click More > Users in the ESET PROTECT Web Console.
3.Click the user and select Two-Factor Authentication > Enable and select the option you want to use:
• ESET Secure Authentication - 2FA provided by ESET using ESET Secure Authentication technology. You do not need to deploy or install ESET Secure Authentication within your environment, as ESET PROTECT On-Prem automatically connects to ESET servers to authenticate users who log into your ESET PROTECT Web Console.
• Third-party authenticator - You can use a third-party authentication client which supports the required TOTP protocol. We have tested the following applications: Google Authenticator, Microsoft Authenticator or Authy.
4.When the user logs in the next time, type the user's phone number when prompted.
5.Install ESET Secure Authentication mobile app or a third-party authentication application on the user's mobile phone using the link from SMS or QR code.
6.When you install the app using the token, your ESET PROTECT On-Prem instance is added to the app.
7.Proceed to login and type the one-time password from the mobile app to the Web Console when prompted. A new one-time password is generated every 30 seconds.
8.Optionally, select the Remember this device check box to authorize your device not to request 2FA for every login.
You can forget remembered devices for the active user in User settings. |
9.Click Submit.
Troubleshooting
The user will be locked after typing the one-time password incorrectly ten times. The Administrator can unlock the user in More > Users > click the user and select Unlock.
If a Web Console user cannot log into the Web Console with 2FA, follow these steps:
1.Back up the ESET PROTECT database.
2.Select the applicable option:
•The phone number set up for 2FA is accessible:
a)During the Web Console login, click Reset Token in the 2FA window.
b)A verification SMS is sent to the phone number set up for 2FA.
You cannot change the phone number stored in the ESET PROTECT database. If the phone is inaccessible, follow the steps below. |
•The phone number set up for 2FA is inaccessible (the phone is lost, damaged, etc.)
a)Reset the Web Console password to disable 2FA on the Administrator account.
Other ESET PROTECT On-Prem user accounts 2FA state remains unaffected. |
b)The user can log into the Web Console without 2FA and then re-enable 2FA after logging in.