How is Two-Factor Authentication (2FA) implemented in Password Depot and which settings are required to activate it?
Two-Factor Authentication (2FA) support has been implemented in Password Depot starting with version 12.0.7 as follows:
Databases on the local system (Enterprise Server excluded)
If you do not work with the Enterprise Server and instead store your databases, for example, on a local system or one of the supported cloud services, you can encrypt your database with a master password or, additionally, with a key file. In this case, access to the database is only granted when both the master password and the key file are correct.
Login to the Enterprise Server
The administrator can enable Two-Factor Authentication (2FA) via TOTP, email or FIDO2/WebAuthn for client logins to the server. If the feature is activated, the client must enter both their username and password as well as the corresponding code.
If, for example, you enable TOTP, the following dialog box will appear the next time the client attempts to log in to the Enterprise Server. The client will then need to scan the QR code with an authenticator app:
The authenticator app must support the Time-based One-Time Password (OATH TOTP) standard RFC 6238 in order to generate a short-lived one-time code.
Result: Users must enter a code each time they log on to the Enterprise Server:
Technical aspects
Password Depot is working with common TOTP technology for Two-Factor Authentication (for more details, please visit https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm ). This kind of technology is not only supported by Google Authenticator but also by many other software providers such as Microsoft, Apple and others.
How does 2FA work in Password Depot?
If a client to whom 2FA has been assigned connects to Password Depot Enterprise Server for the first time, a unique, private key will be created by the server especially for this client and saved to the server in encrypted form.
Based on this shared private key, the server generates a QR code which will then be sent to the client.
This code will be scanned by the client using an Authenticator App (e.g. Google, MS, Authy etc.). The client then creates a new data record in the Authenticator.
Next time the client is trying to establish a connection, transmission of the one-time generated 6-digit code visible in the Authenticator App will be necessary in order to connect to the server successfully.
At the same time, the Enterprise Server will generate the same code, too and compare it with the code it previously received from the client.
If a client is using the same computer/device permanently, it is possible to activate the option "Trust this computer" so that Password Depot Enterprise Server will remember the digital signature of this device for a specific period of time (by default, it is 30 days). During this period of time, the client will not be asked again to enter a new 2FA code on this computer. As soon as the period has expired, the digital signature will be deleted by the server and it will be necessary again to use the Authenticator App if the client wants to connect to the Enterprise Server.
There is an option for resetting 2FA settings for every client in the Server Manager (e.g. if a user has lost their device or the client has been reset to its factory settings). Furthermore, supporting trusted devices and 2FA for individual clients can be deactivated, too.
Note: Two-Factor Authentication is currently available in our Windows and macOS client as well as our mobile apps (Android/iOS). Additionally, you can also use 2FA with our web client. FIDO2/WebAuthn is currently only supported on Windows devices.