Omnilert offers an optional Two-Factor Authentication (2FA) for administrator logins. Two-Factor Authentication adds an additional layer of security to your administrator login process by forcing the admin to have their mobile device handy when logging in.
When 2FA is enabled on an administrator's account, each login requires the admin to receive and enter a 6-digit Authorization Code to gain access to the Omnilert Admin portal. If too many failed logins are attempted, the admin is locked out.
The settings for 2FA are configured on the Settings >> System >> Security tab of the Admin portal.
Note: Not all admins can access this setup function. By default, only the designated Account Admin for your Omnilert account can enable/disable and configure 2FA for your account.
The available configuration settings on this page are:
- Enable 2nd-factor authentication (2FA) for the account: This toggles the option for administrators to enable/disable 2FA for their admin login accounts. If checked, then your admins will have the option to configure and use 2FA.
- Failed login attempts allowed: Determines how many failed login attempts will trigger the admin to be "locked out". You can allow a maximum of up to 10 tries before an admin's account is locked out for failed login attempts.
- Login retry time allowed: Determines how long of an interval between failed attempts needs to pass before Omnilert's count of bad attempts will reset itself.
- Lockout time for failed login attempts: Determines how long an admin will be locked out for after too many failed attempts to log in. (If set to "Admin unlock required", then the admin will remain locked out until the Account Admin unlocks their account for them!)
Why lockout admins for failed attempts?
The lockout process is in place to prevent "brute force" login hacking of your admin accounts, where bots will try repeated combinations of access codes to attempt to breach an account.
What happens when an admin is "Locked-Out" for failed attempts?
If an admin enters an incorrect 2FA authorization code (or a bad recovery code), they are warned that they've made an incorrect attempt and what will happen if they enter too many incorrect codes.
If the admin continues and fails to log in properly, they will be "locked-out". A locked-out admin cannot log into Omnilert.
A locked-out admin cannot log into the admin portal at all until their lockout period expires. They will be sent an email by Omnilert to confirm that their account has been locked out due to excessive failed login attempts.
The admin may simply need to wait for the lockout to expire and then try again or if your account is set for a permanent lockout, they will need to contact your local Account Admin to have them unlock your account for them.
How to determine if your admins have enabled Two-Factor Authentication (2FA)
Omnilert does not force admins to configure Two-Factor Authentication. Rather, it is up to each institution to enforce its policies for its employees. Omnilert offers the tool, it's up to each admin to follow your internal rules and guidelines. (We recommend that admins use 2FA unless they cannot receive a code and you are enforcing strict password policies to add proper security.)
To determine which admins have configured and are using 2FA for their own login, you can view the "2FA" column in the Admins >> Active list.
Additional notes about Two-Factor Authentication (2FA)
- Naturally, adding 2FA will slow the process for login to the Omnilert system. Please keep this in mind and allow extra time when logging in to receive the SMS code and log into the system.
- Store your "Recovery Codes" within reach. We recommend printing them and keeping them in a safe place, such as your wallet. Store the codes separately from your password and username for added security.
- Don't get locked out! You may be forced to wait until your lockout time expires or contact a local admin to unlock your account before you can log in!
- 2FA is not used for the Scenarios app. Two-Fator Authentication is not used for logins to the Scenarios App for iOS or Android at this time. Please keep this in mind when assigning Scenarios or giving out the "Account Key" to allow admins to use the app to launch scenarios.
- Set your local policy. It is the individual admin's responsibility to maintain their account's security. While you can see which admins have or have not enabled 2FA, Omnilert does not force admins to use this feature.
- Enabling 2FA can limit your telephone support options. Please note that enabling Two-Factor Authentication (2FA) may prevent Omnilert’s support team from being able to log in on your behalf. Omnilert support technicians will not be able to receive your authentication code, so any attempt to call-in and initialize an alert via Omnilert’s live phone support will require you (the caller) to relay an authentication code or have a valid recovery code in addition to their admin username and password.