DuoSecurity: Advanced Two-Factor Login for LuxSci’s Web Interface
Two-Factor logins require users to
- Enter their username and password properly (the 1st factor)
- Authenticate a second way (e.g. by entering a code delivered to their mobile phones).
- LuxSci staff use it for all administrative actions both through our web interface and at the server command line.
- It is required for PCI compliance
- It is good for HIPAA compliance
Compare Two-factor Options at LuxSci
LuxSci customers now have three options for two-factor authentication: SMS/text message, email to alternate email address, and use of DuoSecurity. All three options are free/included with your LuxSci account; however, the DuoSecurity option requires that you set up an account with DuoSecurity first. DuoSecurity accounts for 10 or fewer users are free, and they also have a 30-day free trial.
In the following table, we compare the features and functionality of each of these three options.
|Cost||Free||Free||Free up to 10 users; $30/mo for each additional 10 users|
|via email message sent at login|
|via SMS/Text message sent at login|
|via batch of codes in a SMS/Text message sent ahead of time|
|via hardware token|
|via telephone call to any phone, anywhere|
|via push – tap to confirm on your iPhone or Android|
|via App – get passcodes from a free mobile app available for all smartphones|
|Backup methods: setup multiple phones or devices and choose which to use at login|
|Bypass Code – Administrators can generate a one-time code that will let a user login, even if the user has lost access to his/her second factor.|
|Users can enable their own Two-Factor method|
|Administrators can enable and enforce Two-Factor authentication for users|
|Administrators can configure users’ Two Factor options for them|
|Administrators can view authentication logs|
There are many other minor configuration options available with DuoScurity like lockout after failed attempts, re-sending SMS codes once the ones already sent are used up, etc.
We highly recommend use of DuoSecurity for two factor authentication due to its feature rich nature and cost effectiveness. Its well worth it, even for just the ability to have backup second factor devices and to generate bypass codes in case of emergency. At LuxSci, we all use our mobile phones as our first factor and hardware tokens as a backup — just in case a phone is unavailable.
Setup Two-Factor Authentication at LuxSci
If you are going to use DuoSecurity, you need to:
- Go to www.DuoSecurity.com and create an account
- Login and click on “Integrations” and make a “New Integration” of type “Web SDK”
- Login to your LuxSci account and proceed to either “Account > Advanced Administration > Security > DuoSecurity Two Factor” (for enabling DuoSecurity account-wide), or “Account > Domain Administration > Select a domain > General Settings > DuoSecurity Two Factor” (for enabling DuoSecurity for a specific domain).
- Copy and paste in DuoSecurity Integration Key, Secret Key, and API hostname that they provide to you.
- Select if DuoSecurity Two Factor should be required for all users, or optional (e.g. they can opt to use it, but its not enabled by default).
If you have specified that DuoSecurity is required, then setup is complete — all affected users will be required to use it going forward when they login to the system. If you have not pre-configured “second factors” for them, then they will be forced to do it as part of their next login to the web interface (this is a pretty simple process).
If you are not using DuoSecurity or have left it as “Optional”, then the next step is for your users (or their account administrators) to:
- Login to LuxSci
- Go to “Account > My Profile > Two-Factor Authentication”
- Select the desired SMS, Email, or DuoSecurity option
What else can I do to protect my login?
In addition to choosing a good password, there are many things you can do at LuxSci to help secure your logins:
- Update your settings to enforce use of only secured connections (SSL or TLS) when connecting to WebMail and other LuxSci services such as IMAP, POP, SMTP, FTP, and MySQL. This prevents your username, password, and other data from being eavesdropped on.
- Use OpenID instead of a username and password to login to the Web Interface.
- Restrict permission to login to your account to specific IP addresses or geographic regions
- Password policies – configure minimum password strengths, ensure your password must be changed frequently, and that old passwords are not re-used, and that password guessing is not permitted.
- Have alerts sent to you about successful and/or failed logins — so that you are immediately aware of any unauthorized login attempts.
- Remove access to LuxSci services that you are not using. E.g. if you don’t use POP, but have access to it — disable access to prevent unauthorized people from trying to access your email or guess your password through that service.
These features and many more are standard with LuxSci accounts.