Frequently Asked Question
All Plato software V10.2 and later includes 2FA using Time-based One Time Passwords (TOTP) and Google Authenticator. Earlier SMS options are deprecated because of security concerns expressed by Microsoft and others. TOTP is regarded as more secure than SMS or emailed codes and is easier to manage, since it does not require lists of cell phone numbers to be maintained for users.
The process is:
- The User installs Google Authenticator on their device.
- The Plato application displays a QR Code that is scanned into Google Authenticator. This creates a new Google Authenticator Account with a 6-digit validation code that updates every 30 seconds.
- When the user logs in, they must also enter the current 6-digit validation code read from the application account in Google Authenticator.
Note that Google Authenticator works entirely on the user's device; it does not need mobile or internet access and does not phone home to Google. Also, use of Google Authenticator is free of charge; other TOTP options are available, but the vendor (and Plato) charges for their use.
You can activate 2FA when you configure your system using config.exe. In your config.ini file:
There are two 2FA Activation options:
Auto: next time a user logs in successfully, the QR Code is displayed to the user to scan into their Google Authenticator. The Label in Google Authenticator will be the 2FA setting content after the colon- so "Codectomy St Elsewhere LIVE" in the above example.
Central: the QR code is generated centrally and is supplied to the user under customer control. Once the QR Code is generated for a user, they will need to supply the validation code before they can log in again.
Other settings for 3rd party 2FA will be documented at the time.
Note that every 2FA pairing for a user will generate a unique Google Authenticator QR Code and therefore TOTP- so you should identify both Facility and System Type (Live/Acceptance etc) in your 2FA setting so users can tell systems apart.
Activating 2FA for Users
Because some facilities want to introduce 2FA in several stages rather than all at once, you also need to activate 2FA for users.
You can Activate all users at once in User Manager using the Require 2FA button that is present in V10.2 and later:
Clicking this button will require all users who are not already activated to pair a device before they can Log On again.
- In Auto mode, a QR Code will be displayed next time the user logs on, so that they can pair their device.
- In Central mode, you will need to supply the QR code for the user to pair their device.
Either way, once activated the user will be unable to log on until they enter the validation code from their paired device.
You can control 2FA for individual users in the User Properties dialog.
- In Auto 2FA mode, next time the user logs on they will be presented with a QR Code to pair their Google Authenticator.
- In Central 2FA mode, you can display the QR Code by clicking the Show QR Code button; you will need to provide it to the user before they can log in again
My user has a new device/has lost their device
If 2FA is activated, clicking the Show QR Code button will display the QR code for the existing 2FA account. This QR code can be used to pair another device to use the same account.
If a device is stolen/transferred to another user or you need to disable an existing 2FA pairing for other reasons, simply deactivate 2FA for that user in User Properties. This cannot be reversed; their existing 2FA account will no longer work. Instead you can reactivate 2FA in usual fashion and a new QR code will display for a new 2FA account.