Two factor authentication in the staff interface

Koha offers two-factor authentication (2FA) for logging into the staff interface.

This two-factor authentication uses a time-based one-time password (TOTP). A TOTP is a password can only be used once and is only valid for a limited time.

Users wanting to use the two-factor authentication must have an app to generate these TOTPs. Any authenticator app, such as Google Authenticator, andOTP, FreeOTP and many others can be used. Applications that enable backup of their 2FA accounts (either cloud-based or automatic) are recommended.

Turn on the two-factor authentication with the TwoFactorAuthentication system preference.

Once this is done, the staff user must go to their account by clicking their username at the top of the page and clicking ‘My account’.

The user menu at the top of the page in the staff interface, the cursor is on the 'My account' option.

The user must then go to More > Manage two-factor authentication.

When two-factor authentication is enabled, the current logged in user has access to a 'manage two-factor authentication' option from the 'More' menu

The status should be ‘Disabled’ when first going to this page.

The manage two-factor authentication page; the status is currently disabled; there is a button that says 'Enable two-factor authentication'

Click on ‘Enable two-factor authentication’.

A QR code will be presented. This code must be scanned with an authenticator app (see above for suggestions).

The manage two-factor authentication page; a QR code is presented with a field for a pin code underneath

Note

If the app doesn’t allow to scan QR codes, the page gives the credentials that can be entered manually (account, key, time-based).

Once the QR code is scanned, the app will return a time-based PIN code. The user must enter this PIN code in the PIN code field and click ‘Register with two-factor app’.

The status of the two-factor authentication will now be enabled.

Note

An email will be sent to the user’s email address to alert them that the two-factor authentication has been enabled on their account.

You can customize this message in the Notices and slips tool. The letter code is 2FA_ENABLE.

When this user tries to log in to the staff interface, they will have to enter their username and password, like always, but also a two-factor authentication code.

When two-factor authentication is enabled and a user has enabled it in their account, a two-factor authentication code field will appear after they have entered their username and password to log into the staff interface

The user must then open their authenticator app, generate a time-based one-time password and enter it in the field in order to log in.

Note

Alternatively, if the user doesn’t have the app handy, they can click on ‘Send the code by email’, which will send them an email with a time-based one-time password for them to use.

The email is based on the 2FA_OTP_TOKEN notice template, which can be customized in the Notices and slips tool.

Should the user wish to disable their two-factor authentication, they can go to their account in the staff interface, click More > Manage two-factor authentication and click ‘Disable two-factor authentication’.

The manage two-factor authentication page; the status is currently enabled; there is a button that says 'Disable two-factor authentication'

Note

An email will be sent to the user’s email address to alert them that the two-factor authentication has been disabled on their account.

You can customize this message in the Notices and slips tool. The letter code is 2FA_DISABLE.

FAQ Category
Koha
Summary
Two factor authentication in the staff interface Koha offers two-factor authentication (2FA) for logging into the staff interface. This two-factor authentication uses a time-based one-time password (TOTP). A TOTP is a password can only be used once and is only valid for a limited time. Users wanting to use the two-factor authentication must have an app to generate these TOTPs. Any authenticator app, such as Google Authenticator, andOTP, FreeOTP and many others can be used. Applications that ...
Submitted by ebalnaves on