¶ Introduction
Two-factor authentication (2FA) is a more secure way of logging in. The identity of you as a user is determined by means of two factors. You open the digital lock with not one, but two keys, as it were. This means that in addition to entering a username and password, you need a second factor (way).
As of version 2023.11, we offer 2-factor authentication in JOIN Case & Document for users who use the local authentication of JOIN Case & Document. For users who log in via an external authentication method, this has been possible for some time (by activating the 2 factor in the AD login).
The module consists of 2 parts:
- local users (not AD) can log in extra securely via a mail token
- the administrator is used by AD users via a secure AD login
¶ 2 factor JOIN Case & Document
To activate 2 factor for local users in JOIN Case & Document, you must first have a valid license for the module “native 2 factor authentication”. An exception to this is the ADMINISTRATOR account:
- in cloud environments, the ADMINISTRATOR account is only available for use by a Decos employee. We apply the following security measures to this account:
- the administrator always logs in with his own Decos account (via the Decos domain). 2-factor always applies to this
- All actions that a Decos employee performs in the customer environment are recorded in the audit of JOIN Case & Document. The Administrator account in cloud environments can therefore no longer be used anonymously from version 2023.11
¶ JOIN Admin
In JOIN Admin, you will find the option to activate 2-factor authentication in the “Configuration” section.
Once you have activated it, you can activate the 2-factor function per user (who uses the option “use local password authentication”). You can do this by activating a checkmark next to the option “One-time login code required when logging in”.
Please note that you only activate this function when your JOIN environment can send e-mails & when the user has entered a correct e-mail address. If this is not the case, the user will not be able to log in (anymore) because the 2-factor code will not be received.
For the administrator (superadmin) it is possible to make the login extra secure. In this scenario, the user is redirected to the AD login after login. This ensures that the user using the administrator account does so by means of a secure AD login & that the user’s actions are always logged in the audit. It also gives you control over which users are allowed to use the administrator account.
for this feature, it is important that your JZD environment can connect to Decos IDP (oauth.decos.nl)
If you would like to make use of the above, please contact your account manager.
¶ JOIN Applications
When 2-factor is activated by the user, the user will always have to enter a code that the user has received by e-mail after logging in with username and password.
If the code is incorrect, it is possible to resend the code. The code has a validity of 5 minutes. After that, a new code must always be requested.
When using 2-factor login, we always show the email address of the user who is logged in with 2-factor in the audit screens of JOIN. This will also show you that the user is logged in via this email address.
