Two-Factor Authentication

Two-Factor Authentication (2FA) provides a more secure method to log into and access ESET PROTECT Web Console. Users with 2FA enabled will be required to log into ESET PROTECT using ESET Secure Authentication or a third-party authenticator.

There is no limit to the number of users who can log into ESET PROTECT via 2FA.

HTTP Proxy settings are not applied for communication with Secure Authentication servers (2FA).

You can enable 2FA also for the Administrator account.

Prerequisites

To enable 2FA for another user, the current user needs the Write permission over that user. When 2FA is enabled, a user needs to configure 2FA themselves before logging in. Users will receive a link via text message (SMS), which they can open in their phone's web browser to view instructions for configuring 2FA.

2FA does not work without direct network access to ESET 2FA servers. Allowing at least specific 2FA servers in the firewall is necessary. If the proxy is set up in the More > Settings > Advanced Settings > HTTP Proxy, it does not apply for the 2FA.


important

You cannot use a user with 2FA for server-assisted installations.

Enable Two-Factor Authentication for a Web Console user

1.Create a new user or use an existing one.

2.Click More > Users in the ESET PROTECT Web Console.

3.Click the user and select Two-Factor Authentication > apply_defaultEnable and select the option you want to use:

icon_eset ESET Secure Authentication - 2FA provided by ESET using ESET Secure Authentication technology. You do not need to deploy or install ESET Secure Authentication within your environment, as ESET PROTECT automatically connects to ESET servers to authenticate users who log into your ESET PROTECT Web Console.

icon_license_owner Third-party authenticator - In ESET PROTECT 9.1 and later, you can use a third-party authentication client which supports the required TOTP protocol. We have tested the following applications: Google Authenticator, Microsoft Authenticator or Authy.

4.When the user logs in the next time, type the user's phone number when prompted.

5.Install ESET Secure Authentication mobile app or a third-party authentication application on the user's mobile phone using the link from SMS or QR code.

6.When you install the app using the token, your ESET PROTECT instance is added to the app.

7.Proceed to login and type the one-time password from the mobile app to the Web Console when prompted. A new one-time password is generated every 30 seconds.

Troubleshooting

The user will be locked after typing the one-time password incorrectly ten times. The Administrator can unlock the user in More > Users > click the user and select Unlock.

If a Web Console user cannot log into the Web Console with 2FA, follow these steps:

1.Back up the ESET PROTECT database.

2.Select the applicable option:

The phone number set up for 2FA is accessible:

a)During the Web Console login, click Reset Token in the 2FA pop-up window.

b)A verification SMS is sent to the phone number set up for 2FA.


warning

You cannot change the phone number stored in the ESET PROTECT database. If the phone is inaccessible, follow the steps below.

The phone number set up for 2FA is inaccessible (the phone is lost, damaged, etc.)

a)Reset the Web Console password to disable 2FA on the Administrator account.

 


note

Other ESET PROTECT user accounts 2FA state remains unaffected.

b)The user can log into the Web Console without 2FA and then re-enable 2FA after logging in.