Manage Two-Factor Authentication for Ops Manager
On this page
Overview
Administrators can enable two-factor authentication. When enabled, two-factor authentication requires a user to enter a verification code to log in and to perform certain protected operations. Operations that require two-factor authentication include:
restoring and deleting snapshots,
stopping and terminating Backup for a sharded cluster or replica set,
inviting and adding users,
generating new two-factor authentication backup codes, and
saving phone numbers for two-factor authentication.
Optionally, administrators can set up two-factor authentication with Twilio. This allows users to receive their authentication codes via SMS.
Users configure two-factor authentication on their accounts through their Ops Manager user profiles, where they select whether to receive their verification codes through voice calls, text messages (SMS), or the Google Authenticator application. If your organization does not use Twilio, then users can receive codes only through Google Authenticator.
Administrators can reset accounts for individual users as needed. Reseting a user's account clears out the user's existing settings for two-factor authentication. When the user next performs an action that requires verification, Ops Manager forces the user to re-enter settings for two-factor authentication.
Procedures
Enable Two-factor Authentication
Configure Multi-Factor Authentication (MFA)
.
Select Multi-Factor Auth Level.
LevelDescriptionOPTIONAL
Users can choose to set up two-factor authentication for their Ops Manager account.
REQUIRED
All users must set up two-factor authentication.
REQUIRED_FOR_GLOBAL_ROLES
Users who possess a global role must set up two-factor authentication, while two-factor authentication is optional for all other users.
Optional. Select whether users can reset their two-factor authentication setting via email.
Optional. Specify the Authenticator app issuer. If blank, the issuer is the domain name of the Ops Manager installation.
Optional. Enable Twilio Integration
To allow users to receive their authentication codes via SMS, administrators can optionally enable integration with Twilio.
Configure Twilio Integration
.
Enter the following to allow delivery of alerts and SMS multi-factor authentication codes through Twilio:
Note
If you Twilio integration, ensure that
Ops Manager servers can access the twilio.com
domain.
Field | Description |
---|---|
Account SID | Twilio account ID. |
Twilio Auth Token | Twilio API access token |
Twilio From Number | Twilio phone number from which to send the alerts and authentication codes to users. |
Reset a User's Two-factor Authentication Account
Resetting the user's account clears out any existing two-factor authentication information. The user will be forced to set it up again at the next login.
You must have the global user admin
or global owner
role to perform this procedure.