Managing two-factor authentication for a resource
Security and navigation
SECURITY Security level with Admin permission to configure Resources/Users (HR). Refer to Admin security settings.
NAVIGATION
> Admin > Organization Settings & Users > Resources/Users (HR) > Resources/Users (HR) > Resources/Users > Edit Resource > Security tab
Overview
To increase Autotask access security, all Autotask customers have to implement either single sign-on (SSO) or two-factor authentication (2FA). Users must supply the token when logging into the Autotask desktop application, LiveMobile, and Outlook, if the Outlook extension is configured.
2FA is:
- not available for the API User license type
- available but not required for the Dashboard User license type
- required for all other license types unless Single Sign-on has been implemented
- the only option for the Co-managed Help Desk license type, since an MSP's SSO will never be extended to them
All users will be prompted to set up 2FA when they complete their account setup during the first login. Refer to Creating a password and enabling two-factor authentication (2FA).
NOTE For information about Single Sign-on, refer to Configuring single sign-on using the OpenID Connect standard.
Two-factor authentication options
You have two options for two-factor authentication, AuthAnvil and an authentication code.
- AuthAnvil is only available to legacy customers already using this 2FA option. AuthAnvil uses a resource-specific pin code along with a unique one time pass code. Pass codes are generated by personal hand held devices enabled for AuthAnvil SoftToken technology or by an authentication token. For details on setting up and using AuthAnvil 2FA with Autotask, refer to AuthAnvil two-factor authentication.
- Using an authentication code (for example, Google Authenticator, Microsoft Authenticator) is available to all customers, and is the only option for customers not already using AuthAnvil. The authentication code is generated by an app you install on your mobile device. For details on setting up and using an authentication code and Google Authenticator with Autotask, refer to Configuring a 2FA app.
Managing two-factor authentication
Two-factor authentication is now mandatory for all customers who are not using single sign-on. All resources are automatically enabled, and you cannot disable 2FA for anyone. You can, however, pause it.
Pausing the 2FA requirement
To pause the 2FA requirement, do the following:
- Go to > Admin > Organization Settings & Users > Resources/Users (HR) > Resources/Users (HR) > Resources/Users and edit the resource record. To edit a co-managing user, go to > Admin > Features & Settings > Co-managed Help Desk > Co-managing Users.
- Click the Security tab.
- In the Two-Factor Authentication box, select the second or third radio button.
| Option | Description |
|---|---|
| Required for all logins (internal resources only) | Selected by default. The authentication requirement takes effect immediately. |
| Not required for next login | Suspends the display of the two-factor authentication page for the next login to either Autotask, Autotask LiveMobile, or Outlook. The authentication code is not required for that login, but will be required again for all subsequent logins. |
| Not required for 24 hours |
Suspends the display of the two-factor authentication page for all logins to Autotask, Autotask LiveMobile, and Outlook for 24 hours. When this option is selected, the date and time when the suspension expires appear below the option. A Reset link allows you to extend the suspension for an additional 24 hours. The authentication code is not required until after the expiration date and time indicated, but will be required again for all logins after that date and time. |
The user can now log into Autotask without having to enter the token, and change their authentication code options.
If you are the only administrator at your local organization and you lost your device...
If you are the only administrator at your local organization and you lose your device, nobody else at your local organization can log in and pause 2FA for you. You must contact Kaseya Helpdesk and request an authentication code. Prerequisites for this process are that you have verified your email address, and are prepared to identify yourself by showing us your driver's license over a Zoom call.
We will then email you an authentication code that will be valid for 3 minutes.
If your email address is not verified, Datto will have to disable 2FA, but please be aware of the following:
- Datto Customer Support does not have permission to disable 2FA for any user. This will be handled by a database administrator, following a strict security protocol to first establish your identity.
- For security reasons, we need to verify your identity and eligibility to access your Autotask instance, to protect the customer from data breaches through unauthorized access.
- We require written consent of your local organization's Autotask Champion from the Champion's email address.
- We treat all requests of this nature with the utmost urgency and understand that for any organization, an issue of this nature can be a complete stop of business. But please understand that this will not be an instantaneous process.
For this reason, it is vital that you verify your email address and consider one of the following backup methods:
- A second administrator at your local organization
- Backup codes from your 2FA application
