When setting up IP restrictions, you may wish to consider 2 Factor Authentication (2FA) to give you more flexibility to work from multiple locations but still help to keep your portals secure.
By using 2FA alongside your restrictions, you can add an extra level of security for those times you need to access your database when away from the office, using either an Email, SMS or an App to help grant access.
2FA works by generating single use codes and issuing them to a verified Email, SMS or App. When the user attempts to log in from outside the allowed IP range they will receive a code, which when entered on the login screen will grant them access to the portal. This helps to protect your system because only those with access to the verified email account / phone number / mobile app will then be able to retrieve the code required to log in.
When to Activate / Override IP Restrictions
To implement 2FA, you first need to decide how & when it should apply, based on the following settings:
- Standard Eploy Login Inside IP Range - This will force 2FA to apply when inside any set IP ranges & if no range has been set, will force 2FA always.
- Allow Standard Eploy Login Outside IP Range with 2 Factor - If you have restrictions set up, ticking this option will allow users to access when outside of those restrictions (i.e from a different IP location) but only via 2FA. If you don't want users to access the system at all from outside the set IP address, untick this option.
- Single Sign On Inside IP Range - This setting controls the use of 2FA when also using single sign on. If within the IP restriction, ticking this option will force the user to use 2FA.
- Allow Single Sign On Outside IP Range with 2 Factor - If using single sign on & the user attempts to access the system from outside the permitted IP, this option will allow them to do so but will force 2FA. If this is unticked, the user will not be able to access the system from outside the IP address, even via single sign on.
2 Factor Methods
When you are using 2FA, you can control which method is used to share the access code with the user attempting to log in. There are three options available, all of which need to be verified first:
- Allow Email - This will trigger the email to an approved email address for each user, so will only allow users to log in if they have access to the email account.
- Allow SMS - This will trigger a text message containing the single use code to a verified phone number for the user. They will need their phone to retrieve the code and log in.
- Allow App - This means that the user can generate a code via an approved app, such as Google Authenticator.
If using either Allow Email or Allow SMS, you will need to set up a template to be used when the code is requested. You can do this within Admin > Contact Templates > Two Factor Authentication.
Once you have configured your settings and clicked save, these will apply immediately so please ensure you communicate any changes with the users to ensure all have access as required.