trackSpace 2-Factor Authentication
What is a 2-Factor Authentication ?
A 2-Factor Authentication (2FA) describes an authentication process (login procedure) in which the user needs to have two things (factors) to successfully login in to an application:
Knowledge
Device
"Knowledge" in this context refers to the usual login credentials, the username and the password.
"Device" refers to an additional device that the user needs to complete the login. An example for the latter would be a mobile phone to which an SMS is sent with a PIN number that then needs to be entered in the application to complete the login.
Why are you introducing 2FA ?
Information security and data privacy has become more and more important over the last years. News about data breaches and security vulnerabilities are increasing and application providers are reacting by hardening their platforms better.
So are we. Your data and information is valuable to you and us and we are adding this additional level of security to protect it better.
When will 2FA be activated ?
We will activate 2FA for trackSpace and docSpace on 2020-10-29 at about 09:00 CET.
What does this mean for me as an user ?
Once we activate the 2FA for the trackSpace Suite (trackSpace and docSpace) and inTrack suite (inTrack and inDoc), your login will require the second factor if you log in to:
trackSpace or docSpace from outside the LH backbone (thus via Internet)
inTrack or inDoc
trackSpace, docSpace, inTrack and inDoc are four different applications from a security point of view, thus, each one requires a second factor when authenticating. You only need to enter each one once for a session.
You will need:
a mobile device (or computer) with Internet connection
an authenticator app installed on the device like the Google Authenticator or the Microsoft Authenticator
What app do I need on my device ?
Any TOTP compliant software can be used to create a PIN based on your personal secret key. Which one is suitable in your environment depends on your work device management. Please contact your administrator to learn which software you can use.
Here are the most common products:
|
Apple iPhone/iPad |
Apple Watch |
Google Android |
Windows Phone |
Windows PC/Laptop |
Blackberry |
|
|
|
|
|
|
|
Duo Mobile |
|
|
|
|
|
|
Free OTP |
|
|
|
|
|
|
Google Authenticator |
|
|
|
|
|
|
Toopher |
|
|
|
|
|
|
Microsoft Authenticator |
|
|
|
|
|
|
Symantec VIP Access |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
How does it work ?
Login to trackSpace or docSpace from the Internet (not from the office or via VPN) or inTrack or inDoc (while in the LH backbone):
Read the Secure Login Welcome screen
The dialog shows you how to use your device to scan the QR code in the next step.
Click NEXT
WinAuth
If you are using WinAuth as your authenticator app, see the Onboarding with WinAuth page. Otherwise, continue here.
3. Scan the QR code with your device
The next dialog shows the QR code. Start your authenticator app and scan it (alternatively, user your camera to scan the QR code and open it then with your Authenticator app).
4. Wait for the PIN code in your authenticator app
After the scan, the authenticator app will create an entry for the 2FA application. It will show the application name (in this example "trackSpace"), a 6- digit code and your company E-Mail Address.
The authenticator app will generate a new PIN every 30 seconds or so and refresh the display accordingly (I was lucky enough to catch just that PIN change when I took the screenshot of the Microsoft Authenticator).
Enter the PIN in the Secure Login dialog
Enter the newest PIN code of your authenticator app in the Secure Login dialog and click CHECK PIIN
Viola! You're in.
Do I have to do the scanning all the time ?
No, fortunately not. Scanning the QR code you only need to do once when you register your authenticator app. It is called the "On-Boarding" for the Secure Login.
Once you have registered your app, the next time you log in you will just be asked for your PIN. Open your authenticator app and use the PIN that displayed there for the appropriate application.
Do I have to log in with a PIN all the time ?
For trackSpace and docSpace only if you log in from the Internet (=outside of the LH backbone), for inTrack and inDoc every time
How do I switch to a different authenticator app ?
You can change your authenticator app from the profile menu. Select the "Secure Login Profile" from there.
The following dialog will show your current Secure Token (QR code) that is connected to your current authenticator app.
In the case that you want to use a different authenticator app, click on REVOKE TOKEN .
You will then have to go through step 1. to 5. again, using your new authenticator app in step 3.
What if I lose my device or delete my key entry by mistake
In that case your secret key in trackSpace, docSpace, inTrack and/or inDoc needs to be revoked by the admins so you can do the onboarding again.
Contact the ACC administration to do so at trackspace@lhsystems.com
How you can prepare for such a case to recover your secret key:
Every user has his/her own 2FA user profile. You can access it from the profile menu in trackSpace, docSpace, inTrack or inDoc. Here you can either remove/revoke your key before resetting the phone to request a new onboarding, but also have a look at the current valid Secret Key. You can save this secret key as a "backup" somewhere. Should it happen that you accidentally reset your phone and thus lock yourself out, you can restore the key by entering the secret key from your backup in your authenticator app. This way you can log back into the system.