top
Xolido • líder en soluciones de firma electrónica

FAQ XolidoSign Professional y Corporate

How to configure Two-factor authentication

How to configure Two-factor authentication

 

How to configure Two-factor authentication

 

It allows to add an extra layer of access security to the XolidoSign Corporate service that complements the use of username/password or certificate.

There are two possible two-factor authentication methods: SMS and TOTP.

  1. 1. SMS

    If you have SMS gateway configured in your XolidoSign Corporate service, you can activate the two-factor authentication by pin to mobile. It is applied, by default to all users, and they must have a cell phone configured in their personal data >Users > Personal data).

    1. 1.1. Activate SMS mechanism

      To activate the SMS two-factor mechanism, access the Administration area > Settings > Access policy > Two-factor authentication and check "YES" in the "Request pin SMS as a double factor" box.

      By checking "YES", all users of the service will have the SMS two-factor authentication enabled. Make sure that all users have configured the cell phone in their personal data, otherwise they will not be able to access the platform.

      You can view the status of users by clicking on the "User status" button. From here, you can edit the cell phone of the users and enable or disable the SMS two-factor per user.

      When SMS two-factor authentication is active and there is a user without a cell phone, the following warning will be displayed in the configuration.

      Two-factor authentication with mobile pin is active, but there are users who do not have a mobile number to send the pin to. These users will not be able to access. Please, check user data.

      "Two-factor authentication with mobile pin is active, but there are users who do not have a mobile number to send the pin to. These users will not be able to access. Please, check user data."

      From this notice, the user status can be accessed by clicking on "review user data".

      Basic blocking system

      PIN submissions are temporarily blocked for a user if 3 PINs are sent within 30 minutes and the user does not log in. This system is only to prevent abuse, it is not configurable by the customer.

      IMPORTANT: Since it applies to all users, if, for example, someone changes the password in the SMS gateway of the entity, no one could enter the system (or the administration area) and the service would be totally blocked (except if an admin had disabled the mechanism and could enter to change the password of the gateway in the transaction or to temporarily disable the double factor). If this is not the case you should contact us to deactivate it.

How to configure Two-factor authentication

 

How to configure Two-factor authentication

  1. 1.2. Disable SMS mechanism for specific users

    When the SMS two-factor mechanism is activated on the platform, it is activated for all users. If you wish to deactivate this SMS two-factor for certain users, please follow the steps below.

    1. 1. Administration area > Settings > Access policy > Two-factor authentication > User status..

      If "YES" is selected in the "DF SMS disabled" column, this means that the user has disabled the SMS two-factor, if "NO" is selected, the user has enabled the SMS two-factor.

    2. 2. Administration area > Users > Two-factor authentication..

      Select the user on which you want to disable SMS two-factor and in the "Auth two-factor" tab, select "YES" in the "Disable two-factor by SMS pin" box.

How to configure Two-factor authentication

 

How to configure Two-factor authentication

  1. 2. TOTP

    This second factor is a one-time password and is generated through an app that you will need to install on your smartphone or tablet.

    It is possible that you do not have this functionality activated on your platform. If your account does not have it activated and you wish to activate it, please contact us at soporte@xolidosign.com.

    If your service has this TOTP option, you can activate it in your XolidoSign Corporate account by accessing from the public area of your account to My Resources > Authentication > TOTP / Google Auth.

    1. 1. Check the “Activate OTP protocol” checkbox.

    2. 2. Install a compatible application to be able to generate the codes, such as "Google Authenticator", "Microsoft Authenticator" or "FreeOTP".

    3. 3. Click on the "Set new code" button.

    4. 4. Scan the QR code with the application on your cell phone.

    5. 5. Two-step authentication has been activated. The next time you log in to your XolidoSign Corporate account you will be prompted to enter the authentication code that has been sent to your Google Authenticator mobile app or the one you have configured.

    NOTE: Failure to properly guard the settings could accidentally lock your account.

    The two two-factor authentication methods can be active simultaneously, in which case it is sufficient to enter one of the two PINs to gain access, either the PIN received by SMS or the TOTP.

  2. 3. Two-factor authentication validity period

    The validity period of the two-factor authentication is common for both methods. The administrator can indicate whether two-factor authentication is requested for each browser session or for every n number of days.

    • Request it every time you restart the browser (not only exit the application, you have to restart the browser).
    • Every X day: Between 1 and 90 days.