Introduction

ClientTrack allows standard users who are not using a separate Single Sign-On (SSO) provider to use 2-step verification (2SV), sometimes referred to as two-factor authentication (2FA) or multi-factor authentication (MFA), for increased security.

The feature is enabled by default for all environments and an Admin user can disable the feature for all users or require all users to use 2SV.

For a user to set up 2SV, ClientTrack generates a secret key which the user imports into their mobile authenticator app by scanning a QR code.

After configuring 2SV, ClientTrack will prompt the user for a verification code from the authenticator app upon sign-in with a new device, or after a configurable period with a remembered device. The user will need to open the authenticator app, which will display a code generated using the Time-Based One Time Password Algorithm (TOTP), and the user will need to enter the code in ClientTrack. ClientTrack will verify this code and the user will only be able to sign in if they have entered the correct code.

Requirements

1. You must be using a standard ClientTrack account (user name and password), not Single Sign-On. SSO often uses its own 2FA.
2. You must have a mobile device, such as a phone using Android or iOS, with an authenticator app installed.

Pairing to Your Device

ClientTrack’s 2-step verification works with commercially available (free) apps installed on your mobile device. You generate a QR code within ClientTrack, then scan it with the app in order to transfer a secret key. To sign in to ClientTrack, you’ll then need to enter the code that’s displayed in the app.

1. On your mobile device, install an authenticator app such as Google Authenticator, Microsoft Authenticator, or Authy.
2. In ClientTrack, open your User settings overlay and click Security Settings.

3. Open the 2-Step Verification section and click Configure.

4. Follow the instructions on the dialog that opens:
   1. On your mobile device, open your authenticator app and add a new account.
   2. Scan the QR code displayed.
   3. Enter the verification code in ClientTrack and click Verify and Save.

Generating a New Key

If you get a new phone or suspect a security breach, you can generate a new key.

1. In ClientTrack, open your user settings overlay and click Security Settings.

2. Open the 2-Step Verification section and click Configure.

3. Click Generate a New Key.

4. Follow the instructions on the dialog that opens:
   1. On your mobile device, open your authenticator app and add a new account.
   2. Scan the QR code displayed.
   3. Enter the verification code in ClientTrack and click Verify and Save.
      1. Note: Once you click Verify and Save, you’ll only be able to use your new device.

Turning Off 2-Step Verification

Turning Off 2-Step Verification for Yourself (if allowed)

Note: You will not be able to turn off 2SV for yourself if the System Property for 2SV is required for all users (see below section on Environment Configuration)

1. In ClientTrack, open your user settings overlay and click Security Settings.

2. Open the 2-Step Verification section and click Configure.

3. Click Turn Off. 

Turning Off Another User’s 2-Step Verification

Use this process if a user loses their device. This feature requires you to have Remove 2-Step Verification Admin Access. (If another user at your organization already has the permission, they can grant it to you; otherwise, you will need to contact support at Eccovia.)

1. On the User Management form (320), locate the user that has 2-step verification enabled.
2. In the action menu, choose Remove 2-step Verification.

3. You’ll be prompted to enter your own 2-step verification code, if you’ve enabled 2-step verification, or your password, if you haven’t.
4. Click the Turn off 2-step verification button to confirm.

Devices

When you enter the verification code during sign-in, you can also choose to remember your device, unless this option has been disabled by your administrator. You will need to allow cookies for ClientTrack in your browser.

Note that if you don't check the box, your device will still be remembered for five minutes. This allows the system to process login functions like password changes without requiring another 2SV code.

When viewing the security settings page, you can see the devices you’ve previously signed in on and you can delete a device to forget it and require a new verification code the next time you sign in on that device. You cannot forget your current device.

Environment Configuration

System administrators have some options for configuring 2-step verification in their environment. These are configured in the Authentication section of System Properties.

• Days to Remember Device: The number of days to remember a user's device when using 2-step verification. The default is 30. Use 0 to hide the “Remember this device” checkbox.

• Two-Step Verification: Allows you to turn off or require 2-step verification for all users.
  • If you turn it off, users who have already configured 2-step verification will not be prompted to enter their verification code during sign in. It will not remove the keys. If it’s later turned back on, they’ll be required to enter their code again.
  • If you require 2SV, ClientTrack users with a username and password will be required to configure 2SV after they sign in.