Setting up Multi-Factor Authentication with Platform9 Managed OpenStack

Multi-factor authentication (MFA) provides increased security and better access control to Platform9 resources. With multi-factor authentication, the user is expected to provide more than one authentication parameters to sign in. In the case of Platform9 sign ins, this would be a user authentication code in addition to the user password.

Platform9 relies on time-based one-time password (TOTP) algorithm to generate an authentication code for the user. The TOTP algorithm computes a one-time password from a shared secret key and the current time on the system.

To get started with MFA, the user should have a dedicated virtual device setup for their Platform9 account. Virtual devices, which work with Platform9, are apps on the user's mobile device or computer which support generation of TOTP codes for the user account. These authentication codes will be used by the user when they want to sign in to Platform9.

Platform9 recommends that users have the MFA feature enabled for their accounts.

Signing in to Platform9 using Multi-Factor Authentication

  • Go to the Platform9 sign in page.
  • Enter email address and password.
  • If MFA is enabled, select "I have an MFA token" check box.
  • Open the virtual MFA app which was configured for the user and type in the latest TOTP authentication code that the app is displaying.
  • Select Sign in

If the user's password and TOTP authentication code match, the user should be signed in.

Setting up Multi-Factor Authentication for a user

  • Sign in to the Platform9 UI with an administrator account.
  • In the Tenants & Users view, select 'Manage MFA' in the actions column for the particular user.
  • Ensure that the user has a virtual MFA app installed on their system.
  • Select the Enable button. If MFA was already enabled, only the Disable button will be available.
  • MFA configuration information should now be displayed to the user. A QR code will be generated. A secret key will also be displayed
  • The user can open the MFA app on their system. If the app can scan QR codes, the user should scan the displayed QR code. The user can enter the secret manually into the app if they cannot scan the QR code.
  • Once successfully configured, the app should start generating 6 digit codes for the user account. Enter in two generated authentication codes into the UI to verify that the MFA device is generating codes that the Platform9 system accepts.
  • Select Enable to finish the process.

MFA is now enabled for the user account. The user should now use their password and the current authentication code generated by their MFA device when they sign in to Platform9.

Disabling Multi-Factor Authentication for a user

  • Sign in to the Platform9 UI with an administrator account.
  • In the Tenants & Users view, select 'Manage MFA' in the actions column for the particular user.
  • Select the Disable button. If MFA was not enabled, only the Enable button will be available.
  • Confirm disabling of MFA for the user.

Resetting Multi-Factor Authentication Secret Code for a User

When the MFA device is lost or stolen, an administrator will need to reset the MFA settings for that user. This process involves generating a new TOTP shared secret for the user, in order to deactivate the shared secret that was configured on the lost or stolen device.

To achieve this, follow the steps listed in "Disabling Multi-Factor Authentication for a user" followed by the steps listed in "Setting up Multi-Factor Authentication for a user"

Sample Apps That Can Be Installed on the Virtual Device

  • It should be possible to use any virtual MFA app that supports generation of TOTP tokens. Here are some examples of apps that one can use:
    • Mobile phones: Google Authenticator, Duo Mobile, Authy
    • Computer: Authy