Last Updated: September 2020
Tethys allows you to enable/enforce the use of multi factor authentication through apps such as LastPass Authenticator or Google Authenticator. This capability is provided by Django MFA2. This tutorial will show you how to enable that functionality.
Several options in your
portal_config.yaml file can be changed to customize the multi-factor authentication for your portal. See: the Django MFA2 Documentation for more information about the different options. These are the default settings:
MFA_CONFIG: MFA_REQUIRED: false MFA_UNALLOWED_METHODS: - U2F - FIDO2 - Email - Trusted_Devices MFA_RECHECK: true MFA_RECHECK_MIN: 10 MFA_RECHECK_MAX: 30 MFA_QUICKLOGIN: true TOKEN_ISSUER_NAME: 'Tethys Portal'
Multifactor authentication is on by default but is not required. However, you it can be required by setting
If you setup the Email option, users will be able to receive MFA codes through their email. Enabling this option for your multi factor authentication requires some extra setup.
'Email'from the MFA_UNALLOWED_METHODS list in your portal config.
Setup emailing capabilities for your Tethys Portal. If you have a Gmail account you can use the free Gmail SMTP service as follows:
EMAIL_CONFIG: EMAIL_BACKEND: django.core.mail.backends.smtp.EmailBackend EMAIL_HOST: smtp.gmail.com EMAIL_PORT: 587 EMAIL_HOST_USER: email@example.com EMAIL_HOST_PASSWORD: super-secret-password EMAIL_USE_TLS: true DEFAULT_FROM_EMAIL: firstname.lastname@example.org EMAIL_FROM: 'My Name'
Follow these steps to enable multi factor authentication on your account:
Log in to the Tethys Portal
Navigate to the settings for your account by selecting "User Settings" from the drop down menu next to your username.
Press the Configure button next to the 2-Step Verification setting under the Credentials section.
Select the method you would like to enable from the Add Method menu.
The MFA methods table will show a list of all enabled MFA methods. Use the Add Method button to add a new method.
Follow the on-screen instructions and enter the code to verify your method.
Example of adding an authenticator app. Scan the QR code using an authenticator app on your phone such as Google Authenticator or Lastpass Authenticator.
Example of adding an email method. You will need to have set your email address on your profile to receive the codes through emails.
If you choose the Email MFA option, you must also provide an email in your profile.
Log out and log back in to verify that you are prompted for the second factor.