Setting up two-factor authentication

Two-factor authentication (2FA) is a type of multi-factor authentication that checks a user identity by using a combination of two different factors:

Something that a user knows (PIN or password)
Something that a user has (token)
Something that a user is (biometrics)

Two-factor authentication provides extra protection from unauthorized access to your account.

The platform supports Time-based One-Time Password (TOTP) authentication. If the TOTP authentication is enabled in the system, users must enter their traditional password and the one-time TOTP code in order to access the system. In other words, a user provides the password (the first factor) and the TOTP code (the second factor). The TOTP code is generated in the authentication application on a user second-factor device on the basis of the current time and the secret (QR-code or alphanumeric code) provided by the platform.

For partner tenants in production mode, two-factor authentication is enabled by default and cannot be disabled.

For customer tenants, two-factor authentication is optional and can be disabled.

Partner administrator accounts that are used by an integration must be converted to service accounts. Otherwise, the integrations will not be able to authenticate to Cyber Protect Cloud. For example, accounts used by an integration are the accounts for the management agent and the backup agent in the VMware Cloud Director integration. For more information about how to create a service account, see To convert a user account to a service account.

How it works

You enable two-factor authentication on your organization level.
All of your organization users must install an authentication application on their second-factor devices (mobile phones, laptops, desktops, or tablets). This application will be used for generating one-time TOTP codes. The recommended authenticators:
- Google Authenticator
  
  iOS app version (https://apps.apple.com/app/google-authenticator/id388497605)
  
  Android version (https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2)
- Microsoft Authenticator
  
  iOS app version (https://apps.apple.com/app/microsoft-authenticator/id983156458)
  
  Android version (https://play.google.com/store/apps/details?id=com.azure.authenticator)
Users must ensure that the time on the device where the authentication application is installed is set correctly and reflects the actual current time.
Your organization users must re-log in to the system.
After entering their login and password, they will be prompted to set up two-factor authentication for their user account.
They must scan the QR code by using their authentication application. If the QR code cannot be scanned, they can use the 32-digit code shown below the QR code and add it manually in the authentication application.

It is highly recommended to save it (print the QR-code, write down the temporary one-time password (TOTP) secret, use the application that supports backing up codes in a cloud). You will need the temporary one-time password (TOTP) to reset two-factor authentication in case of lost second-factor device.
The temporary one-time password (TOTP) code will be generated in the authentication application. It is automatically regenerated every 30 seconds.
The users must enter the TOTP code on the Set up two-factor authentication window after entering their password.
As a result, two-factor authentication for the users will be set up.

Now when users log in to the system, they will be asked to provide the login and password, and the one-time TOTP code generated in the authentication application. Users can mark the browser as trusted when they log in to the system, then the TOTP code will not be requested on subsequent logins via this browser.

To restore two-factor authentication on a new device

If you have access to the previously set-up mobile authentication app:

Install an authenticator app on your new device.
Use the PDF file that you saved when you set up 2FA on your device. This file contains the 32-digit code that has to be entered in the authenticator app to link the authenticator app again to your Acronis account.

If the code is correct but it is not working, make sure to sync the time in the authenticator mobile app.
If you missed saving the PDF file during the setup:

Click Reset 2FA and enter the one-time password shown in the previously set-up mobile authenticator app.
Follow the on-screen instructions.

If you have no access to previously set-up mobile authenticator app:

Take a new mobile device.
Use the stored PDF file to link a new device (default name of the file is cyberprotect-2fa-backupcode.pdf).
Restore access to your account from backup. Ensure that backups are supported by your mobile app.
Open the app under the same account from another mobile device if it is supported by the app.