Two Factor Authentication (2FA)
This feature is currently available for all paid accounts. Please reach out to Airship Technical Support to enable Two-Factor Authentication company-wide. |
Overview
This article covers the following topics:
- What is Two-Factor Authentication?
- Enablement Options
- Rollout Requirements
- Enabling 2FA
- Resetting 2FA
- Best Practices
- Common Problems and Solutions
What is Two-Factor Authentication?
Two-Factor Authentication (2FA) greatly enhances the security of your Internet accounts by requiring a secondary authentication method when logging into an account.
We strongly recommend using 2FA to increase the security of your Airship account.
Enablement Options
Individual
Once 2FA has been enabled for an individual account, a Two-Factor Authentication item is added to the Account Management dropdown menu (accessed by clicking the person icon at the top right corner of the Airship Dashboard).
Users with individual 2FA enabled must enroll in 2FA themselves by following the instructions in our Set Up Two-Factor Authentication (2FA) guide.
Companies that would like to force 2FA enrollment for their Team Access users should consider company-wide enablement instead.
Company-Wide
Once this is enabled, any new or existing users invited to a project from your company’s account through Team Access will be required to set up 2FA upon their next login.
Users who become locked out of their account, and who do not have access to their recovery codes, will need to follow the steps detailed in the Resetting 2FA portion of this guide.
We strongly encourage those interested in enabling this feature company-wide to start with a pilot team.
Rollout Requirements
For a successful company-wide rollout, you will need the following:
An authenticator app, such as Google Authenticator, LastPass, or 1Password
An authenticator app allows an individual to generate a one-time passcode. This passcode is usually a 6-digit number that is updated at 30-second intervals.
When you sign in to your Airship account after setting up 2FA, you will be prompted to enter your username and password. On the following page, you will be prompted to enter the current one-time passcode as it appears in your authenticator app.
A list of users that are authorized to approve 2FA resets
The authorized approvers for your company should be able to verify that any user requesting a 2FA reset is legitimate. They should also be comfortable with the following:
- Educating other members of your company on the 2FA workflow, including how to set up 2FA and how/where to store recovery codes
- Being the first point of contact for troubleshooting login issues
- Reaching out to Airship Technical Support to request a two-factor authentication reset in the case that the above-mentioned troubleshooting is unsuccessful
A list of users to be part of the pilot team (if you choose to do company-wide rollout)
These users will be the first members of your company to have two-factor authentication enabled on their account. Once 2FA is enabled for their account, they should confirm the following:
- They have been enrolled in 2FA
- They can sign into their account using 2FA
- They can successfully complete an account recovery
Setting Up 2FA
Please refer to our Set Up Two-Factor Authentication (2FA) guide for step-by-step instructions.
Resetting 2FA
- The user who is locked out of their account will first reach out to the authorized approvers for your company.
- If the authorized approvers are unable to successfully troubleshoot the login issue, they should reach out to Airship Technical Support for assistance.
- We will verify that the person reaching out is in the list of authorized approvers. If they aren't, we will add that person to the conversation.
- We will send a no-fee statement of work, to be approved by one of the authorized approvers.
- Once we receive approval, we will reset the affected user’s account.
Users who are locked out of their account will remain locked out until their 2FA reset request can be processed. We strongly recommend generating recovery codes to reduce the need for a 2FA reset. |
Best Practices
Be sure your team is educated on the following before enabling 2FA:
- What 2FA is and why it’s important
- The application your company is using to generate one-time passwords, and how to use that application
- The importance of storing recovery codes and the best places to store them
- Provide several recommendations on how to store (ex: in users' password manager, google drive, dropbox, etc…)
- Stress that codes must be stored somewhere that can be accessed by multiple devices
- Provide example scenarios that require access to recover codes (Ex: new phone, laptop stolen, etc…)
Common Problems and Solutions
If you’re using Google Authenticator, the QR code scanner may not work with certain browser extensions. In this case, please temporarily disable affected extensions and try scanning the QR code again.
If your first attempt at Enable results in an “expired” error message, please wait for the next 6-digit code to be generated and try entering it again.
If your authenticator app on your phone and the phone’s internal clock isn’t synced properly, every generated code will appear to be invalid. You can resolve this by verifying that your phone’s internal clock is correct.