Kaspersky Security Center 14 Windows
[Topic 211796]

About two-step verification

When two-step verification is enabled for an account, a single-use security code is required, in addition to the user name and password, to log in to Administration Console or Kaspersky Security Center Web Console. With domain authentication enabled, the user only needs to enter the single-use security code.

To use two-step verification, install an authenticator app that generates single-use security codes on the mobile device or computer. You can use any application that supports the Time-based One-time Password algorithm (TOTP), such as:

  • Google Authenticator
  • Microsoft Authenticator
  • Bitrix24 OTP
  • Yandex Key

We highly recommend that you save the secret key or QR code, and keep it in a safe place. This will help you to restore access to Kaspersky Security Center Web Console in case you lose access to the mobile device.

To secure the usage of Kaspersky Security Center, you can enable two-step verification for your own account and enable two-step verification for all users.

You can exclude accounts from two-step verification. This can be necessary for service accounts that cannot receive a security code for authentication.

Rules and Limitations

To be able to activate two-step verification for all users and deactivate two-step verification for particular users:

  • Ensure your account has the Modify object ACLs right in the General features: User permissions functional area.
  • Enable two-step verification for your account.

To be able to deactivate two-step verification for all users:

  • Ensure your account has the Modify object ACLs right in the General features: User permissions functional area.
  • Log in to Kaspersky Security Center Web Console by using two-step verification.

If two-step verification is enabled for a user account on Kaspersky Security Center Administration Server version 13 or later, the user will not be able to log in to the Kaspersky Security Center Web Console versions 12, 12.1 or 12.2.

Reissuing the secret key

Any user can reissue the secret key used for two-step verification. When a user logs in to the Administration Server with the reissued secret key, the new secret key is saved for the user account. If the user enters the new secret key incorrectly, the new secret key is not saved, and the current secret key remains valid.

A security code has an identifier referred to as issuer name. The security code issuer name is used as an identifier of the Administration Server in the authenticator app. The security code issuer name has a default value that is the same as the name of the Administration Server. You can change the name of the security code issuer name. If you change the security code issuer name, you must issue a new secret key and pass it to the authenticator app.

See also:

Excluding accounts from two-step verification

Page top
[Topic 211797]

Scenario: configuring two-step verification for all users

This scenario describes how to enable two-step verification for all users and how to exclude user accounts from two-step verification. If you did not enable two-step verification for your account before you enable it for other users, the application opens the window for enabling two-step verification for your account, first. This scenario also describes how to enable two-step verification for your own account.

If you enabled two-step verification for your account, you may proceed to the stage of enabling of two-step verification for all users.

Prerequisites

Before you start:

  • Make sure that your user account has the Modify object ACLs right of the General features: User permissions functional area for modifying security settings for other users' accounts.
  • Make sure that the other users of Administration Server install an authenticator app on their devices.

Stages

Enabling two-step verification for all users proceeds in stages:

  1. Installing an authenticator app on a device

    You can install any application that supports the Time-based One-time Password algorithm (TOTP), such as:

    • Google Authenticator
    • Microsoft Authenticator
    • Bitrix24 OTP
    • Yandex Key

    We strongly do not recommend installing the authenticator app on the same device from which the connection to Administration Server is established.

  2. Synchronizing the authenticator app time with the time of the device on which Administration Server is installed

    Ensure that the time set in the authenticator app is synchronized with the time of Administration Server.

  3. Enabling two-step verification for your account and receiving the secret key for your account

    How-to instructions:

    After you enable two-step verification for your account, you can enable two-step verification for all users.

  4. Enabling two-step verification for all users

    Users with two-step verification enabled must use it to log in to Administration Server.

    How-to instructions:

  5. Editing the name of a security code issuer

    If you have several Administration Servers with similar names, you may have to change the security code issuer names for better recognition of different Administration Servers.

    How-to instructions:

  6. Excluding user accounts for which you do not need to enable two-step verification

    If required, you can exclude users from two-step verification. Users with excluded accounts do not have to use two-step verification to log in to Administration Server.

    How-to instructions:

Results

Upon completion of this scenario:

  • Two-step verification is enabled for your account.
  • Two-step verification is enabled for all user accounts of the Administration Server, except for user accounts that were excluded.

See also:

About two-step verification

Enabling two-step verification for your own account

Enabling two-step verification for all users

Excluding accounts from two-step verification

Page top
[Topic 211948]

Enabling two-step verification for your own account

Before you enable two-step verification for your account, ensure that an authenticator app is installed on the mobile device. Ensure that the time set in the authenticator app is synchronized with the time of Administration Server.

To enable two-step verification for your account:

  1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
  2. In the Administration Server properties window, go to the Sections pane and select Advanced, and then Two-step verification.
  3. In the Two-step verification section, click the Set up button.

    If two-step verification is already enabled for your account, clicking the Set up button resets the secret key so you can re-configure two-step verification.

    In the two-step verification properties window that opens, the secret key is displayed.

  4. Enter the secret key in the authenticator app to receive one-time security code. You can specify the secret key into the authenticator app manually or scan the QR code by the authenticator app on the mobile device.
  5. Specify the security code generated by the authenticator app, and then click the OK button to exit the two-step verification properties window.
  6. Click the Apply button.
  7. Click the OK button.

Two-step verification is enabled for your own account.

See also:

Scenario: configuring two-step verification for all users

Page top
[Topic 211803]

Enabling two-step verification for all users

You can enable two-step verification for all users of Administration Server if your account has the Modify object ACLs right in the General features: User permissions functional area and if you are authenticated by using two-step verification.

To enable two-step verification for all users:

  1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
  2. In the Administration Server properties window, in the Sections pane, select Advanced, and then Two-step verification.
  3. Click the Set as required button to enable two-step verification for all users.
  4. If you did not enable two-step verification for your account, the application opens the window for enabling two-step verification for your own account.
    1. Enter the secret key in the authenticator app to receive one-time security code. You can specify the secret key into the authenticator app manually or scan the QR code by the authenticator app on the mobile device to receive one-time security code.
    2. Specify the security code generated by the authenticator app, and then click the OK button to exit the two-step verification properties window.
  5. In the Two-step verification section, click the Apply button, and then click the OK button.

Two-step verification is enabled for all users. From now on, all users of Administration Server, including the users that were added after enabling this option, have to configure two-step verification for their accounts, except for the users whose accounts are excluded from two-step verification.

See also:

Scenario: configuring two-step verification for all users

Enabling two-step verification for your own account

Excluding accounts from two-step verification

Page top
[Topic 211813]

Disabling two-step verification for a user account

To disable two-step verification for your own account:

  1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
  2. In the Administration Server properties window, in the Sections pane, select Advanced, and then Two-step verification.
  3. In the Two-step verification section, click the Disable button.
  4. Click the Apply button.
  5. Click the OK button.

Two-step verification is disabled for your account.

You can disable two-step verification of other users' accounts. This provides protection in case, for example, a user loses or breaks a mobile device.

You can disable two-step verification of another user's account only if you have the Modify object ACLs right in the General features: User permissions functional area and if you are authenticated by using two-step verification. Following the steps below, you can disable two-step verification for your own account as well.

To disable two-step verification for any user account:

  1. In the console tree, open the User accounts folder.

    The User accounts folder is a subfolder of the Advanced folder by default.

  2. In the workspace, double-click the user account for which you want to disable two-step verification.

    For all user accounts for which two-step verification is enabled, the 2FA required column is set to Yes.

  3. In the Properties: <user name> window that opens, select the Two-step verification section.
  4. In the Two-step verification section, select the following options:
    • If you want to disable two-step verification for a user account, click the Disable button.
    • If you want to exclude this user account from two-step verification, select the User can pass authentication by using user name and password only option.
  5. Click the Apply button.
  6. Click the OK button.

Two-step verification for a user account is disabled.

If you want to restore access for a user that cannot log in to Administration Console by using two-step verification, disable two-step verification for this user account and select the User can pass authentication by using user name and password only option in the Two-step verification as described above. After that, log in to Administration Console under the user account for which you disabled two-step verification, and then enable verification again.

See also:

Scenario: configuring two-step verification for all users

Page top
[Topic 211804]

Disabling required two-step verification for all users

You can disable required two-step verification for all users of the Administration Server if you have Modify object ACLs right in the General features: User permissions functional area and if you are authenticated by using two-step verification.

To disable two-step verification for all users:

  1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
  2. In the Administration Server properties window, in the Sections pane, select Advanced, and then Two-step verification.
  3. Click the Set as optional button to disable two-step verification for all the users.
  4. Click the Apply button in the Two-step verification section.
  5. Click the OK button in the Two-step verification section.

Two-step verification is disabled for all users. Disabling two-step verification for all users does not applied to specific accounts for which two-step verification was previously enabled separately.

See also:

Scenario: configuring two-step verification for all users

Page top
[Topic 211907]

Excluding accounts from two-step verification

You can exclude an account from two-step verification if your account has the Modify object ACLs right in the General features: User permissions functional area.

If a user account is excluded from two-step verification, that user can log in to Administration Console or Kaspersky Security Center Web Console without using two-step verification.

Excluding accounts from two-step verification can be necessary for service accounts that cannot pass the security code during authentication.

To exclude a user account from two-step verification:

  1. If you want to exclude an Active Directory account, perform Active Directory polling to refresh the list of Administration Server users.
  2. In the console tree, open the User accounts folder.

    The User accounts folder is a subfolder of the Advanced folder by default.

  3. In the workspace, double-click the user account that you want to exclude from two-step verification
  4. In the Properties: <user name> window that opens, select the Two-step verification section.
  5. In the opened section, select the User can pass authentication by using user name and password only option.
  6. In the Two-step verification section, click the Apply button, and then click the OK button.

This user account is excluded from two-step verification. You can check the excluded accounts in the list of user accounts.

See also:

Scenario: configuring two-step verification for all users

Page top
[Topic 211812]

Editing the name of a security code issuer

You can have several identifiers (they are called issuers) for different Administration Servers. You can change the name of a security code issuer in case, for example, the Administration Server already uses a similar name of security code issuer for another Administration Server. By default, the name of a security code issuer is the same as the name of the Administration Server.

After you change the security code issuer name you have to reissue a new secret key and pass it to the authenticator app.

To specify a new name of a security code issuer:

  1. In the Kaspersky Security Center console tree, open the context menu of the Administration Server folder, and then select Properties.
  2. In the Administration Server properties window, in the Sections pane, select Advanced, and then Two-step verification.
  3. Specify a new security code issuer name in the Security code issuer field.
  4. Click the Apply button in the Two-step verification section.
  5. Click the OK button in the Two-step verification section.

A new security code issuer name is specified for the Administration Server.

See also:

Scenario: configuring two-step verification for all users

Page top
[Topic 211906]