Enable the Authenticator App authentication method in Workspace ONE Access for two-factor authentication to require users to enter a Time-based One-time (TOTP) passcode as the second credential when they sign in to the Workspace ONE Intelligent Hub app or any app that requires two-factor authentication.

Two-factor authentication is a security enhancement that requires you to present two distinct forms of identification to sign in. Users use an authenticator app installed on their device to generate a TOTP passcode and use this passcode together with their first authentication credential to sign in to an app. Users can leverage their preferred authenticator app on their personal or work mobile device to generate the TOTP passcode. The device is not required to be a managed or registered device with Workspace ONE UEM.

When you enable Authenticator App authentication in the Workspace ONE Access service, you can configure the number of times users can enter an incorrect passcode within a re-try period before a five-minute waiting period is imposed. The default configurations allow for a maximum of five unsuccessful attempts over a five-minute window. When a sixth attempt fails within a five-minute period, the user account cannot authenticate again with the Authenticator App for five minutes. Implementing a waiting period after a predefined number of incorrect passcodes are entered allows for stronger protection against potentially bad actors and can be tailored to your organization's security requirements.

You can configure custom messages that display on the sign-in screen to explain how to register the app and what to do if the user is not able to sign in.

In the default access policy or in an application access policy, you configure rules to require an authenticator app authentication as the second form of authentication.

An authenticator app is built in to the Workspace ONE Intelligent Hub app for iOS devices and Android devices.

End users can also download an authenticator app that is built based on the TOTP RFC 6238 algorithm from the Apple App Store or the Google Play Store. They can also use a browser-based password manager that can generate a TOTP passcode to sign in.

When users sign in the first time, they sign in with the first required authentication credential, and they are asked to register their authenticator app. The custom registration message that you create displays on the Register Authenticator App screen. To register, they use the scanner built into the authenticator app to scan the QR code and enter the six-digit passcode that displays in the authenticator app. If the camera is not available for scanning the QR code, users have the option to manually input the secret code on the authenticator app to get the six-digit passcode. Users can see the secret code to input into their authenticator app by clicking use a code instead on the registration screen. No personal identifying information is stored in the Workspace ONE Access console user accounts, only the registration date is saved.

Figure 1. Register Authenticator App Screen using QR Code
Screenshot of Authenticator App Registration message, QR code and device passcode

When users sign in after registering their authenticator app, they are asked to enter the six-digit passcode that the authenticator app displays on the device. Users have a limited time to input the passcode, usually 30 seconds, before a new passcode is displayed.

Configure Authenticator App and Enable in the Built-In Identity Provider

Procedure

  1. In the Workspace ONE Access console Integrations > Authentication Methods page, click Authenticator App.
  2. Click CONFIGURE.
    Option Description
    Enable Authenticator App Authentication Click the toggle icon to enable Authenticator App Adapter Authentication.
    Number of re-tries allowed Enter the number of times a user can enter an incorrect passcode before the sign-in attempt fails and access is denied.

    The value can be set from 1 to 15.

    The default is 5 times.

    Re-try period Enter the number of minutes that a user has to retry entering a passcode before they are locked out.

    The retry value can be set from 5 to 60 minutes.

    The default is 5 minutes.

    Lock-out time Enter the number of minutes that a user must wait when the retry value is reached before they can try to log in again.

    The lockout value can be set from 5 to 60 minutes.

    The default is 5 minutes.

    Enter the custom text for registration Describe to the user how to proceed to log in, including what to install and what to do.

    Example text.

    Install an authenticator app on your device and scan this QR code. 
    Enter the one-time passcode displayed in the authenticator app.
    Enter the custom text for recovery Describe what to do if user cannot log in from their authenticator app.

    The default scenario to log in lets a user retry to enter a passcode 5 times within 5 minutes before being locked out for 5 minutes after-which they can try again.

  3. Click SAVE.
  4. Navigate to Integrations > Identity Providers and select the Built-In identity provider.
    1. In the Authentication Methods section, select Authenticator App.
    2. Click Save.

What to do next

Create the access policy rule to use Authenticator App as the second authentication method for two-factor authentication. See Add Authentication Rules Workspace ONE Access Default Access Policy.

Reset Authenticator App Registration for a User

When a user contacts you because they cannot use their authenticator app to sign in to the Workspace ONE Intelligent Hub app or to an application in the Hub catalog that required two-factor authentication, you must reset the registered authenticator app from the console. When you click Reset, the registered authenticator app is deleted. Users are asked to register the authenticator app again the next time they sign in.

  1. In the Workspace ONE Access console Accounts > Users page, select the user name that is requesting the reset.
  2. In the Two-Factor Authentication tab Authenticator App section, click RESET.
  3. In the dialog-box that displays, click RESET to confirm the action.