As of release 1.52, two-factor authentication is available as an option in Domino - more information about this feature is available in its knowledge base article. This feature must be enabled by Domino Administrators.
To enable two factor authentication
Two-factor authentication can be enabled for an entire deployment or a specific user via the
ShortLived.TwoFactorAuthEnabled feature flag.
Deployment Global flag - By setting the value for the above feature flag to
true globally means users will be able to opt-in to locking down their account with two-factor authentication. Users would still be able to have accounts and log into them without an additional method of authentication. Users can be excluded from access this feature by setting the user-scoped feature flag (see below) to
User-Scoped Overrides flag - Values for user-level feature flags override the Deployment Global setting for that user. Using the user-scoped override flag, opt-in access to two-factor authentication can be granted or revoked on a per-user basis.
See the feature flag help article for more information on managing feature flags.
To enforce two-factor authentication
If you would like to not only enable but also enforce two-factor authentication for your Domino users' accounts, this can be done by setting a configuration option. This option is available in Domino version 1.54 and higher.
In Advanced > Central Config on the Admin page, add a central configuration of
com.cerebro.domino.twoFactorAuthentication.isRequired and set its value to
When this configuration option is set to
true, users are required to set up two-factor authentication before using the CLI or web UI. Users would not be able to access their Domino accounts without an additional method of authentication.
ShortLived.TwoFactorAuthEnabled feature flag (described above) must be set to true in order for this configuration option to take effect. If two-factor authentication is only feature-flagged on at the user-level, and the central config option to require two-factor authentication is set to
true, that user will be required to set up a second factor of authentication for that account.
Note: For the time being, new user's experience is that they are immediately logged out after registration and must set up a second factor of authentication before logging in.
See the central configuration options help article for more information on managing these options.
Disable two-factor auth for a individual user
In the scenario that a single user needs to reset their two-factor authentication or disable it completely, follow these steps.
- Navigate to 'Username > Admin' in the navigation bar, followed by 'Users' which will then appear.
- Just after the organizations section, locate the user you wish you disable 2FA for. Select 'edit' which will be located to the right of the username.
- Disable Two-Factor Authentication at the bottom of the page. When re-enabled the user will be prompted to set up two-factor authentication from scratch.