Enabling two-factor authentication

As of release 1.52, two-factor authentication is available as an option in Domino - more information about this feature is available in its knowledge base article. This feature must be enabled by Domino Administrators. 

To enable two factor authentication 

Two-factor authentication can be enabled for an entire deployment or a specific user via the ShortLived.TwoFactorAuthEnabled feature flag. 

Deployment Global flag - By setting the value for the above feature flag to true globally means users will be able to opt-in to locking down their account with two-factor authentication. Users would still be able to have accounts and log into them without an additional method of authentication. Users can be excluded from access this feature by setting the user-scoped feature flag (see below) to false.

User-Scoped Overrides flag - Values for user-level feature flags override the Deployment Global setting for that user. Using the user-scoped override flag, opt-in access to two-factor authentication can be granted or revoked on a per-user basis.

See the feature flag help article for more information on managing feature flags.


To enforce two-factor authentication

If you would like to not only enable but also enforce two-factor authentication for your Domino users' accounts, this can be done by setting a configuration option. This option is available in Domino version 1.54 and higher.

In Advanced > Central Config on the Admin page, add a central configuration of com.cerebro.domino.twoFactorAuthentication.isRequired and set its value to true.

When this configuration option is set to true, users are required to set up two-factor authentication before using the CLI or web UI. Users would not be able to access their Domino accounts without an additional method of authentication.

The ShortLived.TwoFactorAuthEnabled feature flag (described above) must be set to true in order for this configuration option to take effect. If two-factor authentication is only feature-flagged on at the user-level, and the central config option to require two-factor authentication is set to true, that user will be required to set up a second factor of authentication for that account.

Note: For the time being, new user's experience is that they are immediately logged out after registration and must set up a second factor of authentication before logging in.  

See the central configuration options help article for more information on managing these options.


Was this article helpful?
0 out of 0 found this helpful