trackSpace 2-Factor Authentication

What is a 2-Factor Authentication ?

A 2-Factor Authentication (2FA) describes an authentication process (login procedure) in which the user needs to have two things (factors) to successfully login in to an application:

  1. Knowledge

  2. Device

"Knowledge" in this context refers to the usual login credentials, the username and the password.

"Device" refers to an additional device that the user needs to complete the login. An example for the latter would be a mobile phone to which an SMS is sent with a PIN number that then needs to be entered in the application to complete the login.

Why are you introducing 2FA ?

Information security and data privacy has become more and more important over the last years. News about data breaches and security vulnerabilities are increasing and application providers are reacting by hardening their platforms better.

So are we. Your data and information is valuable to you and us and we are adding this additional level of security to protect it better.

When will 2FA be activated ?

We will activate 2FA for trackSpace and docSpace on 2020-10-29 at about 09:00 CET.

What does this mean for me as an user ?

Once we activate the 2FA for the trackSpace Suite (trackSpace and docSpace) and inTrack suite (inTrack and inDoc), your login will require the second factor if you log in to:

  1. trackSpace or docSpace from outside the LH backbone (thus via Internet)

  2. inTrack or inDoc


trackSpace, docSpace, inTrack and inDoc are four different applications from a security point of view, thus, each one requires a second factor when authenticating. You only need to enter each one once for a session.

You will need:

  • a mobile device (or computer) with Internet connection

  • an authenticator app installed on the device like the Google Authenticator or the Microsoft Authenticator

What app do I need on my device ?

Any TOTP compliant software can be used to create a PIN based on your personal secret key. Which one is suitable in your environment depends on your work device management. Please contact your administrator to learn which software you can use.

Here are the most common products:

Apple iPhone/iPad

Apple Watch

Google Android

Windows Phone

Windows PC/Laptop

Blackberry

Authy

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg


images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg


Duo Mobile

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg


images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg


images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg

Free OTP

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg


images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg




Google Authenticator

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg


images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg



images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg

Toopher

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg


images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg




Microsoft Authenticator

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg


images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg



Symantec VIP Access

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg


images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg




WinAuth





images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg


1Password

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg


images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg

images/s/mt65h6/8703/98yf4s/_/images/icons/emoticons/check.svg


Authenticator Applications

How does it work ?

Login to trackSpace or docSpace from the Internet (not from the office or via VPN) or inTrack or inDoc (while in the LH backbone):

images/download/attachments/294992596/Login_Maske.PNG
Login Dialog

Read the Secure Login Welcome screen

images/download/attachments/294992596/secure_login_maske.png
Secure Login Welcome Dialog

The dialog shows you how to use your device to scan the QR code in the next step.

Click NEXT

WinAuth

If you are using WinAuth as your authenticator app, see the Onboarding with WinAuth page. Otherwise, continue here.

3. Scan the QR code with your device

The next dialog shows the QR code. Start your authenticator app and scan it (alternatively, user your camera to scan the QR code and open it then with your Authenticator app).

images/download/attachments/294992596/Qr-qode_Scan.png
Secure Login QR Code

4. Wait for the PIN code in your authenticator app

After the scan, the authenticator app will create an entry for the 2FA application. It will show the application name (in this example "trackSpace"), a 6- digit code and your company E-Mail Address.

The authenticator app will generate a new PIN every 30 seconds or so and refresh the display accordingly (I was lucky enough to catch just that PIN change when I took the screenshot of the Microsoft Authenticator).

images/download/attachments/294992596/image2019-10-11_21-7-2.png
Google Authenticator App

images/download/attachments/294992596/image2019-10-11_21-11-49.png
Microsoft Authenticator App Changing PIN

Enter the PIN in the Secure Login dialog

Enter the newest PIN code of your authenticator app in the Secure Login dialog and click CHECK PIIN

images/download/attachments/294992596/secure_login_maske1.png
Secure Login Dialog

Viola! You're in.

Do I have to do the scanning all the time ?

No, fortunately not. Scanning the QR code you only need to do once when you register your authenticator app. It is called the "On-Boarding" for the Secure Login.

Once you have registered your app, the next time you log in you will just be asked for your PIN. Open your authenticator app and use the PIN that displayed there for the appropriate application.

Do I have to log in with a PIN all the time ?

For trackSpace and docSpace only if you log in from the Internet (=outside of the LH backbone), for inTrack and inDoc every time

How do I switch to a different authenticator app ?

You can change your authenticator app from the profile menu. Select the "Secure Login Profile" from there.

images/download/attachments/294992596/image2019-10-11_21-9-54.png
Secure Login Profile Menu

The following dialog will show your current Secure Token (QR code) that is connected to your current authenticator app.

images/download/attachments/294992596/Secure_Login_Self_Service.png
Secure Login Profile Dialog

In the case that you want to use a different authenticator app, click on REVOKE TOKEN .

You will then have to go through step 1. to 5. again, using your new authenticator app in step 3.

What if I lose my device or delete my key entry by mistake

In that case your secret key in trackSpace, docSpace, inTrack and/or inDoc needs to be revoked by the admins so you can do the onboarding again.

Contact the ACC administration to do so at trackspace@lhsystems.com

How you can prepare for such a case to recover your secret key:

Every user has his/her own 2FA user profile. You can access it from the profile menu in trackSpace, docSpace, inTrack or inDoc. Here you can either remove/revoke your key before resetting the phone to request a new onboarding, but also have a look at the current valid Secret Key. You can save this secret key as a "backup" somewhere. Should it happen that you accidentally reset your phone and thus lock yourself out, you can restore the key by entering the secret key from your backup in your authenticator app. This way you can log back into the system.