Two-Factor Authentication for CrashPlan

This article applies to all products.png

Overview

Two-factor authentication for local users increases the security of your CrashPlan environment by requiring users who authenticate directly with CrashPlan to provide additional verification before accessing the CrashPlan console and CrashPlan API.

CrashPlan Enterprise and MSPs only: For organizations integrated with an external authentication provider, this typically only applies to a very limited number of administrator accounts reserved for troubleshooting your authentication provider. However, if your organization only uses Local authentication, it applies to all users.

Affected users and components

  • CrashPlan Essential, Professional, Small Business, and Enterprise or MSP users in organizations that only use local authentication
  • Dedicated CrashPlan Enterprise and MSPs local users in organizations with an external authentication provider
  • CrashPlan console access
  • CrashPlan API authentication

Unaffected users and components

  • CrashPlan Enterprise and MSPs users in organizations that authenticate with an external authentication provider who are not specifically defined as a local user
  • The CrashPlan app installed on user devices
  • Any existing two-factor authentication mechanisms managed by your external authentication provider

Enable or disable two-factor authentication

Click the title that corresponds to your product for detailed instructions.

CrashPlan Essential and Small Business

Two-factor authentication uses the Time-based One-Time Password (TOTP) algorithm and a 160-bit secret key for each user. We tested the applications listed below, but any TOTP application should work.

Mobile app authentication

To authenticate using a mobile app, use Google Authenticator.

Browser-based authentication

To authenticate using a web browser, use the Authenticator plugin

Considerations

  • Two-factor authentication affects access to the CrashPlan console. It does not affect access to the CrashPlan app on user computers.  
  • To reset two-factor authentication for a user, you must sign in to the CrashPlan console as a CrashPlan for Small Business administrator. If you're not a CrashPlan for Small Business administrator, contact your organization's administrator. 

Steps

Users are required to set up their account the next time they sign in. Future sign-ins only prompt users to obtain the verification code from the Google Authenticator mobile app or Authenticator browser plugin.

 Sign out to complete setup

Two-factor authentication will not prompt to complete setup until the user is signed out and attempts to sign in again. To sign out of your account, click the user profile icon in the top-right corner of the screen and select Sign out from the dropdown menu.

  1. Upon signing in to the CrashPlan console, the Set Up Two-Factor Authentication message appears.
  2. Using your authenticator, scan the QR code provided (see sample below) or manually enter the displayed code in your authenticator.
  3. In the Enter 6-digit verification code field, enter the verification code displayed in your authenticator mobile app or authenticator browser plugin.
  4. Click Sign In.

2FA setup page example.png

Not seeing a QR code to scan?

Try using an incognito/private browser window or clear your browser cache data. If the problem persists, contact our technical support team.

Two-factor authentication FAQ

Can I turn off two-factor authentication?

Two-factor authentication cannot be disabled for any reason. If you need to reset your two-factor authentication, see Reset two-factor authentication for lost, stolen, or new devices.

I don't have a smart phone to use for two-factor authentication

Two-factor authentication can be set up on other mobile devices as well (such as an iPad). Those who do not have a suitable device or want to use an alternative method to authenticate can install a browser plugin to display the two-factor authentication code in their browser. We tested Authenticator.

Do I have to use Google Authenticator for two-factor authentication?

While we only test on Google Authenticator and the Authenticator browser plugin, any Time-based One-Time Password (TOTP) application should work.

Can I set up two-factor authentication on multiple devices?

Yes. To set up, scan the QR code or manually enter the code presented when first setting up two-factor authentication on all the devices you want to use for authentication. Multiple devices should not be used to allow multiple users to log into a single account.

CrashPlan Professional, Enterprise and MSPs

Before you begin

  • (Enterprise and MSP only) Review any CrashPlan API integrations using credentials of users in organizations in which you plan to enable local two-factor authentication. After enabling local two-factor authentication for an organization, basic authentication (username and password) is not supported. Users in that organization must use token authentication and supply the Time-based One-Time Password (TOTP) to authenticate with the CrashPlan API.
  • Review the organizational hierarchy of your CrashPlan environment. By default, child organizations inherit the local two-factor authentication setting from their parent organization. To prevent this setting from affecting unintended users, you can either move the users you want to use local two-factor authentication to an organization with no child organizations, or manually disable the setting in each child organization.

Considerations

  • Local two-factor authentication uses the Time-based One-Time Password (TOTP) algorithm and a 160-bit secret key for each user. The Google Authenticator mobile app is the tool we officially support and recommend, but other tools or apps that support the TOTP algorithm may also be compatible.
  • You must have a role with two-factor Auth Admin permissions or higher to configure this setting for an organization.

Steps

  1. Sign in to the CrashPlan console.
  2. Select Administration > Environment > Organizations.
  3. Select an organization.
  4. From the action menu action menu gear.png in the upper-right, select Edit.
  5. Select the Security tab and go to the Local two-factor Authentication section.
  6. If necessary, deselect Inherit setting from parent.
  7. Select Enabled or Disabled.
    • Enabled: Requires affected users to configure two-factor authentication (Google Authenticator is our recommended application). Users must then provide a one-time authentication code in addition to their CrashPlan username and password to access the CrashPlan console and CrashPlan API.
    • Disabled: Locally authenticated users are only required to provide their CrashPlan username and password to access the CrashPlan console and CrashPlan API.
  8. (Optional) Click the lock icon to:
    • Apply the setting to all child organizations
    • Prevent child organizations from changing this setting
  9. Click Save.

Organization security local 2FA reference.png

Local two-factor authentication for child organizations

If you want to use a different setting in a child organization, you must follow the steps above for all child organizations to ensure they use your preferred setting. If you plan to use the same setting in all child organizations, click the lock icon in the parent organization.

User sign in

After enabling Local two-factor Authentication for an organization, affected users are required to follow the steps below to set up their account the next time they sign in. (Future sign-ins only prompt users to obtain the verification code from their authenticator.)

  1. Upon signing in to the CrashPlan console, the Set up two-factor Authentication message appears.
  2.  Using your authenticator, scan the QR code provided (see sample below).
  3. (Optional) If you plan to script automated API requests with this account and/or integrate with other TOTP applications, copy the code from this message and save it.
  4. In the Enter 6-digit verification code field, enter the verification code displayed in your authenticator.
  5. Click Sign In

2FA setup page example.png

Invalid code error when setting up two-factor authentication

There are a few reasons that an "invalid error code" might occur:

If your login session expires before you complete setup, you'll be presented with a new code when signing in and the code you previously entered into your authenticator is no longer valid. To resolve:

  1. Remove the CrashPlan account previously added to your authenticator. Do not skip this step.
  2. Refresh the sign in page in your web browser and sign in again, if prompted.
  3. Scan the QR code or manually enter the code as a new account in your authenticator.
  4. Enter the verification code from your authenticator in the last step of the sign in screen.

If you have multiple two-factor authentication accounts set up in your authenticator, you might accidentally enter the code corresponding to a different account. Double-check the account associated with the code you are using and try again.

If your device times are not accurate, the authentication process may fail. Check your device time at https://time.is/. If the device time is off, ensure the time is set automatically:

Reset two-factor authentication for lost, stolen, or new devices

If you've been using two-factor authentication, then need to reset it because a device is lost, was stolen, or you have a new device, follow the instructions below. Resetting two-factor authentication for a user invalidates the secret used to generate the user's TOTP, and prompts the user redo the initial configuration steps upon the next sign-in attempt.

Reset from the sign in page

  1. Go to the CrashPlan console.
  2. Enter your username or email address.
  3. Click Don't have your code?
  4. On the next screen, enter your username/email and password and click Reset Two-Factor Authentication.
    An email is sent to the email address associated with your user containing a one-time link to log in. After entering your username and password again, you'll be prompted to redo the initial configuration steps.

2FA

Reset from the web console (Administrators only)

  1. Sign in to the CrashPlan console.
  2. Select Administration > Environment > Users.
  3. Select a user.
  4. From the action menu in the upper-right, select Reset two-factor Authentication.
    This invalidates the secret used to generate this user's TOTP and prompts the user redo the initial configuration steps upon the next sign-in attempt.

 

External resources

Was this article helpful?
0 out of 2 found this helpful

Articles in this section

See more