About Two-Factor Authentication
In addition to the regular authentication with username and password, Managed Backup offers two-factor authentication (2FA) in order to strengthen provider and administrator account security along with a majority of the administrative actions in the Management Console.
As of version 6.4 of Management Console, you can download and use the MSP360 application as the 2FA gateway between the provider (or sub-administrators) and MSP360 Managed Backup.
The MSP360 application is available for the following platforms:
Previous 2FA solution with Google or Microsoft Authenticator is available as well but has less supported features
Two-Factor Authentication (2FA) adds a second layer of login security for the main administrator and sub-admin accounts.
The enhanced concept of 2FA with the MSP Control application is based on the following principles:
- For one account (provider or sub-administrator), only one device with the application installed can be used as 2FA
- Users can change the 2FA device only via the Management Console interface
- Notifications on system events and actions that require 2FA are sent to the device with the application installed
- Confirmation of 2FA actions is only possible on an unlocked device despite push notifications can be visible on the locked screen
The MSP360 2FA application always displays the following artifacts in confirmation requests/notifications:
- Action (authentication/management)
- Username
- Device name
- Browser type or application name
- IP address
All 2FA events (confirmations, rejections, or authentication expiry) are logged in the Audit log containing all event parameters. Device registration is executed via a temporary one-time QR code. This code can never be used again.
The exchange of tokens is protected by AES-256 asymmetric encryption.
List of Actions Covered with 2FA Protection
Currently, the following actions in MSP360 Managed Backup are covered with 2FA protection:
- Logging into Management Console
- Changing password
- Enabling Two-Factor authentication
- Disabling Two-Factor authentication
- Reset 2FA recovery codes
- Deleting user
- Deleting a storage account
- RMM action
- RMM group action
How Enhanced Concept of MSP360 Applications Works
To enable 2FA using MSP360 applications, install the MSP Control mobile application for Android or MSP Admin (MSP Control) for iOS. MSP Admin requires iOS 15.7.1 or higher to support 2FA. If you already have a MSP360 application installed, it is recommended to remove it and install anew. As the application is installed or updated, go to Settings > General and select Enable Two-Factor Authentication check box. A temporary one-time QR code is generated and contains encrypted user account data and a token for 2FA registration. Open the application on your mobile phone and enter your Managed Backup account credentials to complete registration. Also you can use the provided QR code for identification purposes. The mobile application uses the device camera to read and decrypt the QR code. These data along with tokens are used to authorize the application and to register the device in Management Console. Then open the application settings. You will be prompted to enable push notifications. Click OK, then allow the app to send you notifications. Also allow the app using a camera to scan QR codes, for the case this is not already done. You will receive a push notification to confirm enabling 2FA. After you confirmed enabling 2FA, you might need to refresh the Management Console page to see the changes.
For emergency cases when 2FA is not available for some reason (stolen or broken), you are provided with 2FA recovery codes. Read more about these codes in the 2FA Recovery Codes chapter. It is recommended to save the recovery codes (you can use the reset codes link in case this is not already done) to a safe place.
As the action that is covered with 2FA protection is executed in the Management Console, a push notification is sent to a registered 2FA device.
The details of a 2FA notification in the MSP Control application contain the following data:
- Action (authentication/management)
- Username
- Device name
- Browser type or application name
- IP address
As you confirm the action, the mobile application sends a confirmation to the Management Console, and the action is allowed for execution. If no confirmation arrives, the rejection message is sent to the Management Console and is written to the Audit Log.