Multi-factor authentication for local accounts overview

Multi-factor authentication (MFA) adds an extra layer of security to your Nexthink tenant by requiring local users to provide multiple forms of identification before granting access.

MFA includes the following components:

  • Something the user knows, such as a password.

  • A Time-Based One-Time Password (TOTP) that is generated by an application, such as Google Authenticator or Microsoft Authenticator.

The user must use both components during login.

Enable MFA to significantly enhance protection against unauthorized access, data breaches, and identity theft. Use MFA to reduce the risk of credential theft, phishing attacks, and brute force attacks and safeguard user accounts and sensitive information on your platform. Overall, MFA is a crucial security feature that reinforces the integrity of your Nexthink tenant and ensures a safer user experience.

You must upgrade to at least version 6.30.20.0 to use MFA.

Use MFA for local accounts

Enable or disable MFA on your appliance

MFA is disabled by default. Perform the following steps to enable or disable it:

  1. Log in to the Command-line Interface (CLI) of the Portal appliance.

  2. Optional step. If the Portal has no configuration file yet, that is, if portal.conf does not exist in folder /var/nexthink/portal/conf, create it by copying the defaults from the sample configuration file:

    BASH
    sudo -u nxportal cp /var/nexthink/portal/conf/portal.conf.sample \
    /var/nexthink/portal/conf/portal.conf
  3. Edit the Portal configuration file:

    BASH
    sudo vi /var/nexthink/portal/conf/portal.conf
  4. Type in the following line to enable MFA; replace true with false to disable it:

    BASH
    globalconfig.feature.totp-enabled = true
  5. Save your changes and exit:

    BASH
    :wq
  6. Restart the Portal to apply your settings:

    BASH
    sudo systemctl restart nxportal

Since TOTPs rely on time, the following steps may also need to be performed:

  1. Log in to the Web Console as administrator.

  2. Select the Appliance tab at the top of the window.

  3. Select the section Network parameters from the left-hand side menu.

  4. Choose the management account with following steps under NTP on CentOS 7 or Chrony on Oracle Linux 8:

    1. On CentOS 7 select the NTP or on Oracle Linux 8 select the Chrony option.

    2. Provide one or several valid Time servers, for example, time servers provided by pool.ntp.org.

    3. Select SAVE CHANGES.

If MFA is enabled for local accounts on your tenant, you may also have to perform one of the following procedures.

MFA is not set up for the currently active account

  1. Install an authenticator application on your mobile device or on a computer that supports TOTPs, for example, Google Authenticator, Microsoft Authenticator, 1Password and so on.

  2. Scan the QR code with your authenticator application.

  3. Enter the code provided by your authenticator application.

  4. Select Continue.

  5. Select Finish when the code is validated and the setup is complete.

You can skip this procedure three times.

MFA is already set up for the currently active account

  1. Enter the code provided by your authenticator application.

  2. Select Sign in.

Last updated