Two-Factor Login by App is introduced in Calem release R20f (November 2020). It is more intuitive to use than two factor login by email. After username and password is authenticated, a screen is prompted for a code (the second factor) to complete the two-factor login.
The same screen is shown in Calem Touch (CalemEAM in App Store, or Google Play) when you log in from a phone, a tablet, or a desktop.
A two-factor login app can be downloaded from App Store or Google Play to use with Calem's two-factor login by app. Here is a sample screenshot from Google Authenticator. You may use another app of your choice including Duo, Microsoft Authenticator, etc. These apps are free and generate a one-time password (6 digits) every 30 seconds. Enter the code from the app to continue your login. We will discuss the setup of the app later in the blog.
1. Two-Factor Login Setup Screen
A new screen is added for two-factor login setup. The screen is accessible from "My account" button in Calem desktop. Only the login user can configure own two-factor login by app. Admin users can turn off two-factor login by email, or two-factor login by app for any user.
Click the button "Two-Factor Login" in "My account" page to launch the the two-factor login setup screen.
2. Enable Two-Factor Login By App
In the two-factor login setup page, "Two-Factor Login" need to be checked. Otherwise, "Two-Factor Login by App" checkbox is not shown. A QR code is shown when you check "Two-Factor Login by App".
Next, you will set up a two-factor login app using the QR code in the Calem screen. If your organization has already selected a two-factor login app, you may use it. Otherwise, you may install one of the two-factor login apps from App Store (for iOS), or Google Play (for Android) including Google Authenticator, Duo, and Microsoft Authenticator. We will use Duo app as an example. Go to Duo, click "+" to scan the QR code in Calem screen.
Calem is added in Duo and you can now use Duo to provide the two-factor login password.
Enter the current code from Duo to the field below QR code in Calem screen to verify with Calem. The code is generated every 30 seconds and valid for 30 seconds. If your login failed, you may take the current code and try again.
Once the code is verified, click "Save" to commit the settings to Calem. You are now all set for two-factory login by App.
3. Reset Two-Factor Login by App
If you need to reset an app, switch to another app, or set up a new phone, go to the Two-Factor Login setup screen, and click "Reset App Secret". A QR code is shown. You may set up a two-factor login app by the QR code, verify with Calem, and save your changes - the same process described above.
A user with two-factor login by app enabled will be stuck and cannot login if the two-factor login app is not accessible (app deleted, phone misplaced, etc.). Admin users can use the following menu to turn off two-factor login by app:
- Menu path: Organization | ACL Profiles | User List
- Find the user and edit the user record to uncheck "Two-Factor Login by App". This will allow the user to login with two-factor login by email. Calem sends a code to the user's email for two-factor login.
- Admin users can choose to turn off two-factor login by uncheck "Two-Factor login". This will allow the user to login with username and password.
5. Two-Factor Login Policy
Admin users can institute organization-wide policy to enforce two-factor login. The following steps must be performed to mandate two-factor login.
- Ensure that each user has a valid email address on file in Calem's user account. A user will use two-factor login by email unless two-factor login by app is configured by the user.
- Enable Calem to enforce two-factor login by adding the following line to your server configuration file (calem.custom.php).
When not enforced two-factor login is turned on or off by individual users. In this case, admin users can allow users to login by username/password in browsers for 60 days from last verified by two-factor login. A two-factor login is required after 60 days. It is an optional feature.
This can be achieved by the following line in the server configuration file: