Configure multi-factor authentication for local users (Enterprise)

Overview

Multi-factor authentication for local users increases the security of your CrashPlan environment by requiring users who authenticate directly with CrashPlan to provide additional verification before accessing the CrashPlan console and CrashPlan API.

For organizations integrated with an external authentication provider, this typically only applies to a very limited number of administrator accounts reserved for troubleshooting your authentication provider. However, if your organization only uses Local authentication, it applies to all users.

Before you begin

• Review any CrashPlan API integrations using credentials of users in organizations in which you plan to enable local multi-factor authentication. After enabling local multi-factor authentication for an organization, basic authentication (username and password) is not supported. Users in that organization must use token authentication and supply the Time-based One-Time Password (TOTP) to authenticate with the CrashPlan API.
• Review the organizational hierarchy of your CrashPlan environment. By default, child organizations inherit the local multi-factor authentication setting from their parent organization. To prevent this setting from affecting unintended users, you can either move the users you want to use local multi-factor authentication to an organization with no child organizations, or manually disable the setting in each child organization.

Considerations

• Local multi-factor authentication uses the Time-based One-Time Password (TOTP) algorithm and a 160-bit secret key for each user. The Google Authenticator mobile app is the tool we officially support and recommend, but other tools or apps that support the TOTP algorithm may also be compatible.
• You must have a role with Multi-Factor Auth Admin permissions or higher to configure this setting for an organization.

Affected users and components

• Users in organizations that only use local authentication
• Dedicated local users in organizations with an external authentication provider
• CrashPlan console access
• CrashPlan API authentication

Unaffected users and components

• Users in organizations that authenticate with an external authentication provider who are not specifically defined as a local user
• The CrashPlan app installed on user devices
• Any existing multi-factor authentication mechanisms managed by your external authentication provider

Enable or disable multi-factor authentication

1. Sign in to the CrashPlan console.
2. Select Administration > Environment > Organizations.
3. Select an organization.
4. From the action menu in the upper-right, select Edit.
5. Select the Security tab and go to the Local two-factor Authentication section.
6. If necessary, deselect Inherit setting from parent.
7. Select Enabled or Disabled.
   • Enabled: Requires affected users to configure multi-factor authentication (Google Authenticator is our recommended application). Users must then provide a one-time authentication code in addition to their CrashPlan username and password to access the CrashPlan console and CrashPlan API.
   • Disabled: Locally authenticated users are only required to provide their CrashPlan username and password to access the CrashPlan console and CrashPlan API.
8. (Optional) Click the lock icon to:
   • Apply the setting to all child organizations
   • Prevent child organizations from changing this setting
9. Click Save.