Configure Google Multi-Factor Authentication (MFA)

If your organization has not standardized on SAML SSO for Aperture administrator logins, you can setup multi-factor authentication (MFA). You must be an Aperture Super Admin to set or change the authentication settings on the Aperture service. When you enable MFA for Aperture, you strengthen your security posture and protect your account by logging in with something you know (your password) and something you have (such as a verification code sent to your phone). Verification codes are uniquely crafted for your account and will be sent to your phone via text, voice call, or the Google mobile app.
  1. Configure your device for MFA.
    Your Android device must be running Android version 2.1 or later to use Google MFA. Your iPhone, iPod Touch, or iPad must have the latest operating system for your device, and your iPhone must be a 3G model or later in order to set up the app using a QR barcode.
    1. Log in to the Aperture service using your current credentials. Click Proceed to setup MFA.
      If you are a new administrator, you will be prompted to change your password. Your new password must be a minimum of 12 characters, and contain non-alphanumeric characters, digits, and upper and lower case letters.
      mfa-new-password-aperture.png
    2. Install the Google Authenticator app to your mobile device.
      mfa-install.png
  2. Link your mobile device to your account in Aperture.
    1. Using QR Barcode— Select Barcode View. If the authenticator app cannot locate a barcode scanner app on your mobile device, you may be prompted to download and install one. If you want to install a barcode scanner app so you can complete the setup, select Install, and then go through the installation process. Once the app is installed, reopen Google Authenticator, then point your camera at the barcode on your computer screen.
      mfa-view-qr-code.png
    2. Using Private Key— Select Private Key View and then enter the private key on your authenticator app.
      mfa-view-private-key.png
    3. You will be prompted to Regenerate Key? to sync to the authenticator app. Click OK to receive two consecutive passcodes.
      mfa-regenerate-key.png
    4. In Aperture, enter the two passcodes and Save the setup.
      mfa-enter-two-passcodes.png
    5. Read and Accept the End-User License Agreement (EULA).
      To test that the app is working, enter the verification Code from your mobile device and then Verify. A confirmation message will display if your code is correct. Save to exit the setup. If your code is incorrect, try generating a new verification code on your mobile device, and then entering it in your computer.
  3. Configure MFA in Aperture.
    As an Aperture Super Admin, you can change the Authentication settings for any account except your own. To change your Authentication settings, another Super Admin must configure your account.
    1. Select SettingsAuthentication.
    2. Select an Authentication method:
      • Local Authentication— User access is granted only after successfully presenting a passcode pair or QR barcode evidence to the MFA mechanism.
      • Single Sign-On— A single sign-on login event provides automatic access to multiple authenticated services, and a single logout event automatically ends the session for multiple services.
      • Save your selection.
      authentication-select.png
    3. Define the settings for local authentication.
      • Enter the one-time password (OTP) prompt frequency in Local AuthenticationDo not prompt for OTP to 0 for all log in attempts, or a number of days from 1 to 7.
      • Enter a number of incorrect login attempts allowed in Block logins after consecutive incorrect passcodes between 1 and 30. Save your settings.
      mfa-authentication-mfa-settings.png
    Administrators will see this authenticator message after entering their Aperture credentials.
    mfa-sign-in-authenticator.png

Related Documentation