DuoSecurity: Advanced Two-Factor Login for LuxSci’s Web Interface
Two-Factor logins require users to
- Enter their username and password correctly (the 1st factor)
- Authenticate a second way (e.g., by entering a code delivered to their mobile phones).
- LuxSci staff use it for all administrative actions through our web interface and the server command line.
- It is required for PCI compliance
- It is appropriate for HIPAA compliance
Compare Two-factor Options at LuxSci
LuxSci customers now have three options for two-factor authentication: SMS/text message, email to alternate email address, and use of DuoSecurity. All three options are free/included with your LuxSci account; however, the DuoSecurity option requires setting up an account with DuoSecurity first. DuoSecurity accounts for ten or fewer users are free, and they also have a 30-day free trial.
In the following table, we compare the features and functionality of each of these three options.
|Cost||Free||Free||Free up to ten users; $30/mo for each additional ten users|
|via email message sent at login|
|via SMS/Text message sent at login|
|via batch of codes in an SMS/Text message sent ahead of time|
|via hardware token|
|via a telephone call to any phone, anywhere|
|via push – tap to confirm on your iPhone or Android|
|via App – get passcodes from a free mobile app available for all smartphones|
|Backup methods: setup multiple phones or devices and choose which to use at login|
|Bypass Code – Administrators can generate a one-time code that will let a user login, even if the user has lost access to their second factor.|
|Users can enable their own Two-Factor method|
|Administrators can enable and enforce Two-Factor authentication for users|
|Administrators can configure users’ Two Factor options for them|
|Administrators can view authentication logs|
There are many other minor configuration options available with DuoScurity like lockout after failed attempts, re-sending SMS codes once the ones already sent are used up, etc.
We highly recommend using DuoSecurity for two-factor authentication due to its feature-rich nature and cost-effectiveness. It is well worth it, even for just the ability to have backup second-factor devices and to generate bypass codes in case of emergency.
Setup Two-Factor Authentication at LuxSci
If you are going to use DuoSecurity, you need to:
- Go to www.DuoSecurity.com and create an account
- Log in and click on “Integrations” and make a “New Integration” of type “Web SDK.”
- Login to your LuxSci account and proceed to either “Account > Advanced Administration > Security > DuoSecurity Two Factor” (for enabling DuoSecurity account-wide), or “Account > Domain Administration > Select a domain > General Settings > DuoSecurity Two Factor” (for enabling DuoSecurity for a specific domain).
- Copy and paste in DuoSecurity Integration Key, Secret Key, and API hostname that they provide to you.
- Select if DuoSecurity Two Factor should be required for all users or optional (e.g., they can opt to use it, but it is not enabled by default).
If you have specified that DuoSecurity is required, then setup is complete — all affected users will be required to use it when they login to the system. If you have not pre-configured “second factors” for them, they will be forced to do it as part of their next login to the web interface (this is a straightforward process).
If you are not using DuoSecurity or have left it as “Optional,” then the next step is for your users (or their account administrators) to:
- Login to LuxSci
- Go to “Account > My Profile > Two-Factor Authentication”
- Select the desired SMS, Email, or DuoSecurity option
What else can I do to protect my login?
In addition to choosing a good password, there are many things you can do at LuxSci to help secure your logins:
- Update your settings to enforce only secured connections (SSL or TLS) when connecting to WebMail and other LuxSci services such as IMAP, POP, SMTP, FTP, and MySQL. This prevents your username, password, and other data from eavesdropping.
- Restrict permission to log in to your account to specific IP addresses or geographic regions
- Password policies – configure minimum password strengths, ensure your password must be changed frequently, that old passwords are not re-used, and that password guessing is not permitted.
- Have alerts sent to you about successful and failed logins — so that you are immediately aware of any unauthorized login attempts.
- Remove access to LuxSci services that you are not using. E.g., if you don’t use POP but have access to it — disable access to prevent unauthorized people from trying to access your email or guess your password through that service.
These features and many more are standard with LuxSci accounts.
- Improve Account Security by Enabling Multifactor Authentication
- SMS is Broken and Hackers can Read Text Messages. Never use Regular Texting for ePHI.
- Securing your iPhone’s Email – Best Practices
- Capture Ink Signatures in your Web Forms: Handwritten Signatures from Desktop and Mobile Devices
- HIPAA Compliant Calendars, Contacts and Reminders – Tasks for your iPhone and Android