OTRS Academy » Documentation » Configuration Options Reference » CoreAuthAgentTwoFactor

CoreAuthAgentTwoFactor

November 24, 2023

Agent::AuthTwoFactor::Module###AuthenticatorApp

Defines the two-factor module to authenticate agents via authenticator app (TOTP mechanism). Use ‘Prio’ key to influence the priority of this mechanism in respect to others. ‘SecretPreferencesKey’ contains the key of the user preference where the shared secret key is stored. ‘AllowPreviousToken’ defines if the previously valid token should be accepted for authentication, which is slightly less secure but gives users 30 seconds more time to enter their one-time password. ‘GracePeriod’ is the time period in seconds that the token will be considered valid, before changing it make sure the user app supports this value.

Default value:

---
AllowPreviousToken: '1'
GracePeriod: '30'
Icon: regular,mobile-qr-code
Label: Authenticator App
Module: Kernel::System::TwoFactor::AuthenticatorApp
Prio: '1000'
SecretPreferencesKey: UserGoogleAuthenticatorSecretKey

Agent::AuthTwoFactor::Module###Email

Defines the two-factor module to authenticate agents via email (HOTP mechanism). Use ‘Prio’ key to influence the priority of this mechanism in respect to others. ‘SecretPreferencesKey’ contains the key of the user preference where the shared secret key is stored. ‘CounterPreferencesKey’ contains the key of the user preference where the current counter value is stored. ‘LookAheadWindowSize’ defines number of retry attempts that will be used if the token is invalid, by increasing the counter value for specified window size (counter re-sync).

Default value:

---
CounterPreferencesKey: UserEmailHOTPCounterConfig
EmailSecurityPreferencesKey: UserEmailHOTPSecurityConfig
Icon: regular,phone-action-email
Label: Email
LookAheadWindowSize: '5'
Module: Kernel::System::TwoFactor::Email
Prio: '3000'
SecretPreferencesKey: UserEmailHOTPSecretKey

Agent::AuthTwoFactor::Module###SMS

Defines the two-factor module to authenticate agents via SMS (HOTP mechanism). Use ‘Prio’ key to influence the priority of this mechanism in respect to others. ‘SecretPreferencesKey’ contains the key of the user preference where the shared secret key is stored. ‘CounterPreferencesKey’ contains the key of the user preference where the current counter value is stored. ‘LookAheadWindowSize’ defines number of retry attempts that will be used if the token is invalid, by increasing the counter value for specified window size (counter re-sync).

This setting is not active by default.

Default value:

---
CounterPreferencesKey: UserSMSHOTPCounterConfig
EmailSecurityPreferencesKey: UserSMSHOTPSecurityConfig
Icon: regular,phone-type
Label: SMS
LookAheadWindowSize: '5'
Module: Kernel::System::TwoFactor::SMS
Prio: '2000'
SecretPreferencesKey: UserSMSHOTPSecretKey

Agent::AuthTwoFactor::RequiredSetup

Defines if agents are required to setup at least one two-factor authentication method.

This setting can not be deactivated.

Default value:

1

Agent::AuthTwoFactor::RequiredSetupException###001-Framework

Defines list of agent logins (UserLogin) that will be excepted from requiring to setup at least one two-factor authentication method.

This setting can not be deactivated.

Default value:

--- []

Customer::AuthTwoFactor::Module###AuthenticatorApp

Defines the two-factor module to authenticate customer users via authenticator app (TOTP mechanism). Use ‘Prio’ key to influence the priority of this mechanism in respect to others. ‘SecretPreferencesKey’ contains the key of the user preference where the shared secret key is stored. ‘AllowPreviousToken’ defines if the previously valid token should be accepted for authentication, which is slightly less secure but gives users 30 seconds more time to enter their one-time password. ‘GracePeriod’ is the time period in seconds that the token will be considered valid, before changing it make sure the user app supports this value.

Default value:

---
AllowPreviousToken: '1'
GracePeriod: '30'
Icon: regular,mobile-qr-code
Label: Authenticator App
Module: Kernel::System::TwoFactor::AuthenticatorApp
Prio: '1000'
SecretPreferencesKey: UserGoogleAuthenticatorSecretKey

Customer::AuthTwoFactor::Module###Email

Defines the two-factor module to authenticate customer users via email (HOTP mechanism). Use ‘Prio’ key to influence the priority of this mechanism in respect to others. ‘SecretPreferencesKey’ contains the key of the user preference where the shared secret key is stored. ‘CounterPreferencesKey’ contains the key of the user preference where the current counter value is stored. ‘LookAheadWindowSize’ defines number of retry attempts that will be used if the token is invalid, by increasing the counter value for specified window size (counter re-sync).

Default value:

---
CounterPreferencesKey: UserEmailHOTPCounterConfig
EmailSecurityPreferencesKey: UserEmailHOTPSecurityConfig
Icon: regular,phone-action-email
Label: Email
LookAheadWindowSize: '5'
Module: Kernel::System::TwoFactor::Email
Prio: '3000'
SecretPreferencesKey: UserEmailHOTPSecretKey

Customer::AuthTwoFactor::Module###SMS

Defines the two-factor module to authenticate customer users via SMS (HOTP mechanism). Use ‘Prio’ key to influence the priority of this mechanism in respect to others. ‘SecretPreferencesKey’ contains the key of the user preference where the shared secret key is stored. ‘CounterPreferencesKey’ contains the key of the user preference where the current counter value is stored. ‘LookAheadWindowSize’ defines number of retry attempts that will be used if the token is invalid, by increasing the counter value for specified window size (counter re-sync).

This setting is not active by default.

Default value:

---
CounterPreferencesKey: UserSMSHOTPCounterConfig
EmailSecurityPreferencesKey: UserSMSHOTPSecurityConfig
Icon: regular,phone-type
Label: SMS
LookAheadWindowSize: '5'
Module: Kernel::System::TwoFactor::SMS
Prio: '2000'
SecretPreferencesKey: UserSMSHOTPSecretKey

Customer::AuthTwoFactor::RequiredSetup

Defines if customer users are required to setup at least one two-factor authentication method.

This setting can not be deactivated.

Default value:

1

Customer::AuthTwoFactor::RequiredSetupException###001-Framework

Defines list of customer user logins (UserLogin) that will be excepted from requiring to setup at least one two-factor authentication method.

This setting can not be deactivated.

Default value:

--- []

AuthTwoFactor::BrowserTrust::Enabled

Defines if trusted browser feature is enabled. If turned on, users will be able to skip two-factor authentication in saved browsers.

This setting can not be deactivated.

Default value:

1

AuthTwoFactor::BrowserTrust::ExpirationPeriod

Defines expiration period in days for trusted browsers. After this time period, trusted browsers will be cleaned up automatically. In order to trust browsers indefinitely, please disable this setting.

Default value:

30

WebApp::API::Agent::TwoFactor::EmailBody

Defines the body text of the two-factor mails sent to agents, with a one-time token for completing the authentication challenge.

This setting can not be deactivated.

Default value:

Hi <OTRS_USERFIRSTNAME>,

You or someone impersonating you has tried to log in into OTRS using your password.

In order to complete the authentication challenge, please use the following one-time code:

<OTRS_OTPTOKEN>

Otherwise, click on the one-time login link below within the next 3 minutes:

<OTRS_CONFIG_HttpType>://<OTRS_CONFIG_FQDN><OTRS_CONFIG_Frontend::PrefixPath>/agent/one-time-login?tokenBase64=<OTRS_AUTHTOKEN>

If you did not request a login, please report this incident to your administrator, and change your password immediately.

WebApp::API::Agent::TwoFactor::EmailSubject

Defines the subject text of the two-factor mails sent to agents, with a one-time token for completing the authentication challenge.

This setting can not be deactivated.

Default value:

New OTRS login request

WebApp::API::Agent::TwoFactor::SMSBody

Defines the text of the two-factor SMS sent to agents, with a one-time token for completing the authentication challenge.

This setting can not be deactivated.

Default value:

Your OTRS login code is: <OTRS_OTPTOKEN>

WebApp::API::Agent::TwoFactorSetup::EmailBody

Defines the body text of the two-factor setup mails sent to agents, with a one-time token for completing the authentication setup.

This setting can not be deactivated.

Default value:

Hi <OTRS_USERFIRSTNAME>,

You or someone impersonating you requested the two-factor setup for your OTRS account.

In order to complete the authentication setup, please use the following one-time code:

<OTRS_OTPTOKEN>

WebApp::API::Agent::TwoFactorSetup::EmailSubject

Defines the subject text of the two-factor setup mails sent to agents, with a one-time token for completing the authentication setup.

This setting can not be deactivated.

Default value:

New OTRS two-factor setup request

WebApp::API::Agent::TwoFactorSetup::SMSBody

Defines the text of the two-factor SMS sent to agents, with a one-time token for completing the authentication setup.

This setting can not be deactivated.

Default value:

Your OTRS two-factor setup code is: <OTRS_OTPTOKEN>

WebApp::API::Customer::TwoFactor::EmailBody

Defines the body text of the two-factor mails sent to customers, with a one-time token for completing the authentication challenge.

This setting can not be deactivated.

Default value:

Hi <OTRS_USERFIRSTNAME>,

You or someone impersonating you has tried to log in into OTRS using your password.

In order to complete the authentication challenge, please use the following one-time code:

<OTRS_OTPTOKEN>

Otherwise, click on the one-time login link below within the next 3 minutes:

<OTRS_CONFIG_HttpType>://<OTRS_CONFIG_FQDN><OTRS_CONFIG_Frontend::PrefixPath>/external/one-time-login?tokenBase64=<OTRS_AUTHTOKEN>

If you did not request a login, please report this incident to your administrator, and change your password immediately.

WebApp::API::Customer::TwoFactor::EmailSubject

Defines the subject text of the two-factor mails sent to customers, with a one-time token for completing the authentication challenge.

This setting can not be deactivated.

Default value:

New OTRS login request

WebApp::API::Customer::TwoFactor::SMSBody

Defines the text of the two-factor SMS sent to customers, with a one-time token for completing the authentication challenge.

This setting can not be deactivated.

Default value:

Your OTRS login code is: <OTRS_OTPTOKEN>

WebApp::API::Customer::TwoFactorSetup::EmailBody

Defines the body text of the two-factor setup mails sent to customers, with a one-time token for completing the authentication setup.

This setting can not be deactivated.

Default value:

Hi <OTRS_USERFIRSTNAME>,

You or someone impersonating you requested the two-factor setup for your OTRS account.

In order to complete the authentication setup, please use the following one-time code:

<OTRS_OTPTOKEN>

WebApp::API::Customer::TwoFactorSetup::EmailSubject

Defines the subject text of the two-factor setup mails sent to customers, with a one-time token for completing the authentication setup.

This setting can not be deactivated.

Default value:

New OTRS two-factor setup request

WebApp::API::Customer::TwoFactorSetup::SMSBody

Defines the text of the two-factor setup SMS sent to customers, with a one-time token for completing the authentication setup.

This setting can not be deactivated.

Default value:

Your OTRS two-factor setup code is: <OTRS_OTPTOKEN>
FacebookXEmailLinkedIn
Scroll to Top