Provet Cloud offers two-factor authentication (2FA) features to increase the security of user accounts. When the feature is enabled, users have to periodically authenticate themselves in two steps:
- User attempts login with their personal password (successfully)
- An additional 6-digit code input is prompted
- If they have a phone number listed on their profile, they will receive an SMS with the code and will have to input it to proceed
- If they don't have a phone number listed on their profile, they are prompted for the number after which they will receive the SMS and will have to input the code as above
- If the code input is correct, the user is logged in normally. Successful two-factor authentication will time out after 30 days, after which the user has to repeat the process on login.
Enabling and disabling the feature
This feature is generally available for all Provet Cloud users. Note that if a custom authentication method like SAML2 or LDAP is in use, the two-factor authentication feature will not be available.
To enable it, go to Settings > Users > Password settings and enable the option Enable two-factor authentication.
You can also disable the feature by simply turning off the setting, but it's not recommended due to added security benefits.
Option to disable for specific users
If you want to disable the feature for a specific user for some reason, you can do it by enabling the 'Disable two-factor authentication' option when editing their account.
Skipping 2FA for specific IP addresses
It is possible to exclude specific IP addresses so users coming from these do not have to use two-factor authentication. For example, you may consider disabling 2FA for the clinic network, but require it when employees try to log in from elsewhere.
See the password setting Skip two-factor verification from specific IP addresses. Note that the IP address(es) should be marked in CIDR notation.