Two Factor Authentication
Two factor authentication
adds an extra level of security for your organization. By confirming a user’s identity using a text
message or an email we can be sure your access is more secure than ever before
keeping with industry trends. Sportsman
Web provides several options to make sure that your access is secure and
provide flexibility to meet different needs within you organization.
***NOTE*** All of the steps below
require Site or System Administrator access to Sportsman Web. So before you proceed make sure you have the
proper permissions.
This Document will cover:
ü
Two
Factor Authentication Options
ü
Managing
device authorizations
ü
Adding
Exceptions
ü
Restricting
Access by IP Address
ü Modifying Allowed IP Addresses
Two Factor Authentication Options
Sportsman Web has two levels of two
factor authentication and can be selected by going to Settings -> Site Configuration -> Access Tab.
1.
First time on new device (recommended)
The
first and default option is to only require two factor authentication
on new devices. This means that if a
user is logging in on a device, they have not used to access Sportsman Web before, they will be required to do two factor
authentication. After that they will no
longer be required to do two factor authentication on
that device. However, a device will be forgotten as a known device after 2
weeks of Sportsman Web not being accessed on that device. Once a device is forgotten it will be treated
like a new device and the user will need to complete two factor authentication the next time, they use Sportsman Web on that
device.
Every time
This
option will require users to do two factor authentication
every time they access Sportsman Web.
This is the highest level of security though it can be cumbersome to do
two factor authentication every time.
Managing Device Authorizations
There may be times where you want to
see how a user is accessing Sportsman Web or remove an authorization on an
unknown device. To do this, click on the
[Gear] button and navigating to Settings
->User Administration -> Edit the user you would like to see ->
Authentication tab. Here you will see a list of devices the user has
authenticated with two factor authorization.
You are able to remove just one device from the list or all devices from
the list of this screen.
***Note***
Keep in mind this only forces the user to redo their two-factor authentication
on that device, it does not block access on that
device in the future. If you have a
security breach it is recommended to reset the user’s password as well as clear
out all device authorizations.
Adding Exceptions
While this is not recommended for most
users as it allows users to get around two-factor authentication, there may be
certain users or scenarios where you do not want to require two-actor
authentication for Sportsman Web. The
most prominent example of this is a shared account for front desk staff or pool
staff. You may have a user like poolstaff@peakrecreation.gov that all the pool staff use to login. It may
not be possible for them to use two-factor authentication as they do not have
access to the email account. Fortunately, you can allow on a per user basis
exceptions to two-factor authentication.
To add an exception, do the following.
Click on the [Gear] button and navigating to Settings ->User Administration -> Edit the user you would like to
see -> Authentication tab. Check the box that says, ‘Do not require two
factor authentication for this user’. Click [OK] to save your
changes.
***NOTE*** If you allow a user to
login without two-factor authentication it is HIGHLY recommended that you use
IP restrictions as an added level of security (see next section for more
details)!
Restricting Access by IP Address
Another added option for security in
Sportsman Web is the ability to restrict access based on their IP address. This
can be used to make sure that certain users can only access Sportsman Web from
a list of approved IP addresses. Since most networks use the same external facing
IP address, this allows you to limit access to devices in the building. This
should be used for shared logins like poolstaff@peakrecreation.gov mentioned above so Sportsman Web is not
accessed from outside your center.
To restrict access by IP address please do the following. Click on the [Gear]
button and navigating to Settings ->Settings
-> User Administration -> Edit the user you would like to see ->
Authentication tab. Check the box that says, ‘Restrict this user’s
access based on their incoming IP address’. Then click [OK]to save your
changes.
From here you can
click on [Edit Allowed IP Addresses] to change what IP addresses your
organization will allow Sportsman Web access from.
You can also click
the [Add Current IP] button which will add the IP address of the device
you are currently using. This is helpful for adding a home or office IP when it
is not known.
Modifying
Allowed IP Addresses
If you choose to restrict user access
by IP address you will need to provide a list of Whitelisted IP addresses that
are allowed to access Sportsman Web. This list is a site wide list that will
apply to all users with the ‘Restrict this user’s access based on their
incoming IP address’ option checked on their Sportsman account. You can
access the whitelisted IPs from the user screen as shown in the section above
or by navigating to Define -> System
-> IP Whitelist. From here you can manage which IPs are
allowed to access Sportsman Web.
Use the [Add Current IP] button to add your current device’s IP address
to the list.
***Note***
Remember these restrictions will only be enforced for users with ‘Restrict this
user’s access based on their incoming IP address’ checked on their profile.
SM:DS:A:Feb
22
