Configure 2FA / OTP (Two Factor Authentication)

Steps: Introduction
Enabling 2FA for All Users
Enabling 2FA for Selective Users

---

Introduction

Two factor authentication (2FA) is a common authentication mechanism used to increase system security by requiring users to authenticate not just with something they know (e.g. a password) but also something they possess (e.g. a device). Kryon RPA v19.2 and above supports 2FA for access to Console, Studio, Robots and the Kryon User Management Tool (KUMT).

---

Enabling 2FA for All Users

 Note: 2FA cannot be enabled for users synchronized via User Federation (Kerberos Single Sign On), only users using regular username/password authentication can take advantage of 2FA (i.e. those created via Kryon Admin).​

To enable 2FA for new users and existing users, follow these steps.

• Log into KUMT using the "authadmin" account.
• In the left menu click Authentication.
• Click the Required Actions tab along the top.
• For the "Configure OTP" line, ensure the checkbox is checked under the "Enabled" column.
• Click the Flows tab along the top.
• Select Browser from the dropdown.
• Change the "OTP Form" requirement to Required.
• Once this is done you will see "Success! Auth requirement updated" in a green dialog.

The next time any user tries to log in, they will be asked to set up 2FA and enter their code in their authenticator app of choice (e.g. Google Authenticator app) before they can log in. If they have already set up 2FA then they will only be asked to submit their code.

---

Enabling 2FA for Selective Users

It is commonly more useful to have selective 2FA because whilst you may need the extra security for Console, Studio and KUMT users, unattended robots should not be using 2FA to log into the Kryon platform, since they are by definition unattended and there is no human present to provide the code.

To accomplish the above, do the following:

• Perform all the steps in the Enabling 2FA for All Users section above. However, instead of setting "OTP Form" to Required, set it to Optional.
• Click on Users in the left sidebar.
• Then, for each Studio, Console and KUMT user, do the following:
  • Edit the user by clicking Edit.
  • Under Required User Actions add a "Configure OTP" action.
  • Click Save.
• The next time that user logs in, they will be asked to set up 2FA with their chosen authenticator app.

If you have any existing unattended robot users you wish to remove 2FA from, do the following:

• Click on Users in the left sidebar.
• Then, for each Unattended Robot user, do the following:
  • Edit the user by clicking Edit.
  • Click the Credentials tab.
  • Under Disable Credentials > Disableable Types, select the OTP type.
  • Click Save.

Unattended robots will now not be asked for a 2FA code when signing in.

Explanation

By setting "OTP Form" to OPTIONAL we are configuring the login screen to ask for a 2FA code only if it has already been configured by the user. If 2FA has not been configured, the login screen will permit the user to authenticate using username and password only.

---