Multi-factor authentication
What is multi-factor authentication and what is it needed for?
Multi-factor authentication, or MFA for short, is a security mechanism that requires users to enter at least two independent verification factors to uniquely identify themselves when accessing an application. Unauthorized access is not possible due to the additional authentication method; the security level is thus significantly increased.
MFA and Relution
Relution allows LDAP and local users to activate the additional authentication methods "E-Mail Token" and "Authenticator App" in the Relution Portal in addition to the user name and password. Release 5.16 takes into account the requirement of the German Federal Office for Security (BSI) for MDM providers to implement the provision of an additional security level.
How is the MFA configured in Relution?
The new MFA feature must be enabled by an organization or system admin under "Settings" -> "Passcode Policy" before it can be used.
In the "Multi-factor authentication" submenu item, you can either select "E-mail authentication" and specify the validity period of the one-time code to be sent or select the "Authenticator apps" option. Alternatively, both variants can be activated in parallel.
Force MFA login
The Relution Permission system has been extended by the "Multi-factor authentication" option. It can be defined for a role whether the MFA logon is required or not. If the role with activated MFA logon is assigned to a user or a group, an MFA logon is mandatory for a LogIn.
If no MFA method has been set up yet, then the user must do this the first time they log in.
Multi-factor authentication methods
E-mail token
Each User, independent of an Administrator, has the possibility to activate the MFA individually in the Relution Portal. In the menu bar "Profile", new tokens for two-factor authentication can be added under "MFA Tokens". If the first option "E-Mail" is selected, a new tab opens to enter the e-mail address.
Private e-mail addresses as well as e-mail addresses differing from the user can be stored in the system - useful in the school context.
After entering, a one-time verification code will be sent to the email address entered. This code remains valid for the period specified by the administrator. As soon as the correct pin, consisting of any numerical combination, is entered, the multi-factor authentication is configured.
Authenticator App(s)
Any number of MFA factors can be stored in the Relution Portal. In addition to the e-mail variant, the use of various "Authenticator Apps" is supported. If the second variant "Authenticator App" is selected as the new "MFA token" in the "Profile" menu bar, a new window opens with a QR code that must be scanned with the authentication app previously installed on the end device. There is also the option of reverting to a setup key for verification.
If various Authenticator apps are used on multiple devices at the same time, the validity of at least one app is checked to ensure correct login.
If both multi-factor authentication methods are used, the Authenticator app is primarily queried; the stored email variant serves as a backup.
If only the Authenticator app is in use, there is no email fallback.
Delete MFA tokens manually
MFA tokens can be deleted manually by the user in the "Profile" menu bar under the "MFA tokens" menu item. If all MFA variants were removed manually, but the application was forced by the administrator, multi-factor authentication must be stored again the next time the user logs into the Relution Portal.
What happens in case of loss of the MFA?
If the user does not have access to email and/or Authenticator app when MFA is enabled, logging into the Relution Portal is no longer possible - going to the administrator is mandatory. Under "Users" -> "Users" the administrator:in has the option to manually remove the blocked MFA token.
In the version release 5.16 MFA is available for the Relution console. The apps will be added with the new procedure and released soon.