Two Factor Authentication (2FA) adds an extra layer of security on top of the usual username and password required for login when accessing the system from outside your network. In addition to a password, 2FA requires the user to enter a special code that regularly changes. This code is generated based on a random secret key and the current time at login. The user employs a pre-configured authenticator application to provide the code when logging in.

2FA code generation occurs independently on both the server and by the users' authenticator app. If the user's authenticator has been setup correctly, the generated code will match the one on the server. When enabling 2FA, each user is provided with an individual random secret key to seed the generator

Enabling 2FA 

Two-Factor Authentication can be enabled via the drop-down menu under the currently logged in user.

Selecting Enable 2F Authentication will show the following popup:

There are multiple authenticator applications available. Follow the instructions in the dialog box according to the mobile device you wish to use. Follow your chosen application's setup instructions to add an account other than a Google or Microsoft account (these may be suggested by default). There may be a simple option to scan a barcode, in which case you can scan the QR code in the dialog above.

To emulate an authenticator app on a PC, you can download WinAuth (https://winauth.com/). Instead of scanning the QR code, you can copy the secret key from the popup dialog and paste it into the WinAuth app.

Google Authenticator

On an iOS, Android or Blackberry device, download and run the Google Authenticator app. Depending on your device, the screens may look slightly different than those shown here:

Select Begin setup and wait for the following screen. You will be manually adding an account here (ignore the available Google accounts).

The easiest thing to do is scan the QR code shown on the Spydus popup dialog (see previous section). Once you've done that, you should get a screen like this:

The code will change every 30 seconds or so. This is the code you enter into the Authentication Code field at the Spydus login screen. The next time you open the authenticator app, you should see something like this:

If you cannot scan the QR code successfully, you can enter the random secret key manually. It does not matter what account name you enter.

Microsoft Authenticator

If you cannot scan the QR code successfully, you can enter the random secret key manually. It does not matter what account name you enter.

Staff can type the secret key generated from WBA or tap on the camera icon to scan the QR code. Once scanned, the app will provide the Authentication code with ‘Spydus_Access_Code’ at the bottom of the number.

iOS Authenticator

Open the app from an iOS device.

Tap Begin Setup.

Scan the QR code or manually type in the secret key to display the Authentication code.

There’s a countdown timer when an Authentication code is displayed. When it’s nearing the end of the countdown, it displays the number in red briefly before changing numbers and the code is displayed in black again.

WinAuth

If you do not wish to use a mobile device for 2FA, you can run an emulator on your PC instead. WinAuth is one such program (https://winauth.com/). The first time you run WinAuth you should see a screen like this:

Click Add, and select Google. You should see the following, except the field with the secret code will be blank. Copy the random secret code from the Spydus popup dialog (see previous section) and paste it into the authenticator.

Click Verify Authenticator and you should see something like this:

Once you click OK out of this dialog, you may be presented with an option to password protect your WinAuth configuration. This has no bearing on Spydus 2FA; it is simply a feature of WinAuth. After closing the Protection dialog, you should see the WinAuth form looking like this:

The code will change every 30 seconds or so. If you close WinAuth, the next time you open it you may see the following - click the round refresh cycle icon to resume generating a secret code.

Logging in

If 2FA is enabled, the login screen should look like the following:

To log in, enter your username and password as well as the six-character code provided by the authenticator app.

Resetting or disabling 2FA

If 2FA is enabled, the drop-down menu under the logged in username will show the following: 

Selecting Manage 2F Authentication will bring up the following dialog:

From this dialog you can disable 2FA, or reset it by generating a new random secret key. If you generate a new key, you will need to modify or re-create the entry in your authenticator app.

2FA Reset Email

This feature requires a minimum server version and patch:                            10.7.10, 10.8.8, 10.9.6

If a 2FA user has an email address linked to their account, the user may click the Reset 2FA button at login to reset the 2-factor authentication key.

This might be done if the user has accidentally deleted the key from their authenticator, or lost access to the device with the key.

The reset email will contain the new key as both a QR code and a text string.

For libraries on server versions 10.7-10.9, please contact Civica Support for assistance as commissioning is required.

For libraries on a subscription or upgrade licensed version of Spydus, the 2FA reset email maybe customised on the Communications tab of the HTML Email & Slips Configurator. For Spydus 10 libraries, the 2FA reset email cannot be customised.