Settings & Operation

Usage and best practice

How do I use this?

Very simply, I made a very simple to follow video with all the basics that you should definitely watch first.

How do I let users set Two-Step Authorization on their account?

There are 4 ways of letting users set the system:

  1. For admins with a dashboard access, they can edit their profile and set TSA from there (watch this video from 2:47)
  2. For users with no access to the dashboard, you can give them access to their private member's page and they can set TSA from there (watch this video from 8:19)
  3. You can install the block Two-Factor Authentication found under Kalmoya Security. That block can go on any page and allows users to set up their TSA easily
  4. As the TSA setting screen is really a user attribute, you can make it available to users during registration
What is that Emergency Password stuff about?

Emergency passwords are a safety device against unpredictable circumstances. They are also a security hazard. If this is clear as mud, please watch this video that will explain everything there is to know about Emergency passwords.

What's the Relax Mode for?

Google Authenticator provides you with codes that have a limited lifespan of about 1 minute. The timer for each code lasts 30 seconds and once the timer has gone all the way and the code mutates, you still have about 30 seconds to use the previous code. After that, it is not valid anymore.

With the Relax Mode, that extra time is increased to 2 minutes instead of 30 seconds so you'll get a total of 2 minutes and 30 seconds to use a code. That's in case you really do need all that time to enter your code.

When should I rescan the QR code with my phone?

If you modify the Description and/or the Secret Key, you must rescan the new QR code. Those are the 2 elements Google Authenticator uses to generate your codes.

Troubleshooting and recovery strategies

I am sure I'm doing everything right but I keep getting an error message saying my Google Authenticator Code is not valid or has expired. What gives?

It can happen sometimes if your Google Authenticator app (on your phone) is not correctly time-synchronized. Fixing this issue is extremely easy.

  1. Make sure your phone is connected to the Internet
  2. Open your Google Authenticator app
  3. Open the app's Settings screen (the 3 little dots at the top give access to the app's menu where you can find the settings)
  4. In the settings select Time correction for codes
  5. In the new screen select Sync now
  6. The Sync process is almost instant. You can now try to log into your website again.

If that didn't work, you are probably NOT doing everything right. Look at the next item: I'm totally locked out of my account, what do I do?

I'm totally locked out of my account, what do I do?

Please note: there is nothing I can do to help if you have lost your normal account credentials (username or email and password). That is a situation that has nothing to do with this add-on.

If you are locked out of your account you have 2 options, each with its own pros and cons.

  • First solution (preferred): ask someone with Administrator rights to access your member profile and disable Two-Factor Authentication. This will give you immediate access to your account using your normal account credentials (username or email and password). It will only affect your own login and nobody else's.
  • Second solution (be careful): you can manually remove the Two-factor Authentication system and go back to a normal login system. To do so, you will need access to the files on your server.
    1. Go to the root of your website
    2. From there go to application\authentication
    3. There you will find a directory labeled concrete
    4. Delete this directory

    SUPER IMPORTANT: if your cache is set to cache overrides, you will need to manually empty your cache. Otherwise, trying to log-in will throw an error every time. To manually empty the cache, on your server, go to your application\files\cache directory and delete everything. Then you can log-in normally and re-activate Two-Factor Authentication.

    Be aware that by doing so you are disabling Two-Factor Authentication for everybody across the whole website. As soon as you have regained access to your account, I strongly suggest you go to the Settings page and re-enable Two-Factor Authentication. If you do so, other users will not need to do anything as their Two-factor Authentication settings will still be valid.