Two Factor Authentication

Updated 1 month ago by Michael Cretzman

Two Factor Authentication (2FA) can be managed in two ways:

  • Individual user: You can set up 2FA for your own User Profile without impacting other user accounts.
  • All account users: If you have Manage Account permissions, you can enforce 2FA for all users in Harness. First, you set up 2FA for your own account, and then you can enforce 2FA account-wide in the Harness account's Login Settings.
If 2FA is disabled at the account level, you can still enable 2FA for your user account. If 2FA is enabled account-wide, you cannot turn it off for your user account.

When you enforce 2FA, users receive an email where they can scan a QRCode using their smartphones and a token generator app. The next time they log in with their username and password, they are prompted to use 2FA to complete the log in.

When 2FA is turned off by an administrator (with Manage Account permissions), users can decide if they want to turn off 2FA for their account in their User Profile.

Requirements

In order for a user to enforce account-wide 2FA, their user account must belong to a group with the Manage Account permission enabled.

For more information, see ​Users and Permissions.

Intended Audience

  • DevOps

Before You Begin

To Set Up 2FA for Your Profile

The following procedure enables 2FA for a single user account. This option is available to any user.

To enable 2FA for a single account, do the following:

  1. Mouseover your User Profile icon, and then click User Profile. The User Profile page appears.
  2. Toggle the Two Factor Authentication indicator. The Two Factor Authentication dialog appears.
  3. Using your smartphone's 2FA token generator app, such as Google Authenticator, scan the QRCode and add it to the list in your app.
    Harness Inc is added to your 2FA token generator app, and begins to provide authentication codes.
    2FA token generator apps also include a method for adding a site using a Secret Key, in cases where you cannot scan the QRCode. The 2FA dialog includes a Secret Key for those cases.
  4. Click SUBMIT. The next time you log in by entering your username and password, you are prompted to provide the 2FA authentication code.
  5. Obtain the code from your 2FA token generator app, and enter it. You are then logged into your Harness account.

Enforce 2FA Account-Wide

Once you have set up 2FA for your account, you can enforce it for all users and groups in the account. When 2FA is enforced, account users will experience the following changes:

  • New members will need to set up 2FA during signup.
  • Existing members who do not have 2FA enabled will receive an email with a QRCode, and instructions on how to set up 2FA.

To require that all account users and groups use 2FA, do the following:

  1. Enable 2FA for your account as described in To Set Up 2FA for Your Profile.
  2. Mouseover Continuous Security, and click Access Management.
  3. Click Login Settings. The Login Settings and Enforce Two Factor Authentication setting are displayed.
  4. Toggle the Enforce Two Factor Authentication setting to on. You are prompted to confirm.
  5. Click Confirm. 2FA is enforced.

Resetting 2FA

If a user loses the QRCode, you can email them a new 2FA QRCode and secret key, by clicking the Email New 2FA Secret Key link in the User account dialog.


How did we do?