Set up two-factor authentication
Use two-factor authentication (2FA) to enhance account security by adding a second factor verification that confirms the user identity on various actions in Creatio, most importantly login. 2FA is available for both internal users and company employees. Audit log records all actions related to 2FA. Learn more: View and archive the audit log.
Creatio supports the following 2FA options:
- Integration with external identity providers via SAML 2.0 protocol. If you store users and their passwords outside of Creatio, you can integrate external identity providers via SAML 2.0 protocol to get a wide range of 2FA capabilities. For example, integrations with Azure AD, Okta, OneLogin.
- 2FA functionality in Creatio. If you store users and passwords in Creatio and use a basic authentication mechanism via login and password, you can use 2FA functionality available natively in Creatio. Integrations work only via OAuth. Forms authorization method is not available.
The native 2FA functionality provides the following options:
- Authenticate via email, SMS, or mobile app (TOTP).
- Use multiple 2FA options as part of the authentication process.
- Use 2FA to confirm changing the password on the user profile page.
- Use 2FA to confirm administrator actions, such as disabling 2FA for administrators or changing administrator login, password, phone, or email.
- Recover the password using 2FA.
- Disconnect the authenticator app, for example, when changing or losing a device.
Set up 2FA
Set up 2FA via email
This authentication method sends the verification code to the email specified in the Email field of the system user or to the login email if you use it. Before you set up this method, make sure all users have email specified and you have a mailbox from which to send the emails configured. Learn more: Set up a personal mailbox.
To set up 2FA via email:
Activate the email 2FA method
- Click
to open the System Designer. - Go to the System setup block → Lookups.
- Open the 2FA methods lookup.
- Click the Email row → select the checkbox in the Enabled column.
- Select the checkbox in the Primary column if you want email to be the main 2FA method.
- Click
.
Specify the mailbox from which to send verification emails
- Click to open the System Designer.
- Go to the System setup block → System settings.
- Open the “Mailbox for sending emails that contain 2FA verification code” (“2FA mailbox” code) system setting.
- Select the needed mailbox in the Default value field.
- Save the changes.
Activate 2FA
- Click to open the System Designer.
- Go to the System setup block → System settings.
- Open the “Enable 2FA” (“Enable2FA” code) system setting.
- Select the Default value checkbox.
- Save the changes.
At this point, the users can already use 2FA. Proceed further to customize additional aspects of the functionality.
Specify the user groups to activate 2FA (optional)
- Click to open the System Designer.
- Go to the Users and administration block → Operation permissions.
- Open the “Can use 2FA” (“CanUse2FA” code) system operation.
- Specify the user groups to activate 2FA in the Operation permission detail. Learn more: System operation permissions.
Set for how long the verification code remains active (optional)
- Click to open the System Designer.
- Go to the System setup block → System settings.
- Open the “2FA confirmation code lifetime (seconds)” (“SecondFactorCodeTTL” code) system setting.
- Specify for how long to keep the verification code active in seconds in the Default value field.
- Save the changes.
Specify how many attempts to verify the second factor the user has before they are locked out or deactivated (optional)
- Click to open the System Designer.
- Go to the System setup block → System settings.
- Open the “The number of attempts to verify the second factor” (“SecondFactorAttemptCount” code) system setting.
- Specify how many attempts to verify the second factor the user has before they are locked out or deactivated in the Default value field. The exact penalty depends on the value of the “User locking time” (“UserLockoutDuration” system setting).
- Save the changes.
Customize the 2FA email (optional)
- Open the Studio workplace → Message templates.
- Open and edit the “2FA verification code” template to customize the 2FA email. Learn more: Work with message templates.
Set up 2FA via SMS
This authentication method sends the verification code to the phone specified in the Phone field of the system user via SMS. The method requires an additional integration with the cell connection provider. Before you set up this method, make sure all users have the phone specified and you integrated the cell connection provider.
To set up 2FA via SMS:
Activate the SMS 2FA method
- Click to open the System Designer.
- Go to the System setup block → Lookups.
- Open the 2FA methods lookup.
- Click the SMS row → select the checkbox in the Enabled column.
- Select the checkbox in the Primary column if you want SMS to be the main 2FA method.
- Click .
Configure the SMS provider
-
Click
to open the System Designer. -
Go to the System setup block → Lookups.
-
Open the SMS providers lookup.
-
Click New.
-
Fill out the following fields.
Field
Field value
Name
The SMS provider name.
Code
The code you will use when integrating the cell connection provider.
-
Click
to open the System Designer. -
Go to the System setup block → System settings.
-
Open the “SMS provider” (“SmsProvider” code) system setting.
-
Select the provider you added on the previous step in the Default value field.
-
Save the changes.
-
Click Close.
-
Open the “SMS sender name” (“SmsSenderName” code) system setting.
-
Specify the name of the SMS sender in the Default value field.
-
Save the changes.
Activate 2FA
- Click to open the System Designer.
- Go to the System setup block → System settings.
- Open the “Enable 2FA” (“Enable2FA” code) system setting.
- Select the Default value checkbox.
- Save the changes.
At this point, the users can already use 2FA. Proceed further to customize additional aspects of the functionality.
Specify the user groups to activate 2FA (optional)
- Click to open the System Designer.
- Go to the Users and administration block → Operation permissions.
- Open the “Can use 2FA” (“CanUse2FA” code) system operation.
- Specify the user groups to activate 2FA in the Operation permission detail. Learn more: System operation permissions.
Set for how long the verification code remains active (optional)
- Click to open the System Designer.
- Go to the System setup block → System settings.
- Open the “2FA confirmation code lifetime (seconds)” (“SecondFactorCodeTTL” code) system setting.
- Specify how long to keep the verification code active in seconds in the Default value field.
- Save the changes.
Specify how many attempts to verify the second factor the user has before they are locked out or deactivated (optional)
- Click to open the System Designer.
- Go to the System setup block → System settings.
- Open the “The number of attempts to verify the second factor” (“SecondFactorAttemptCount” code) system setting.
- Specify how many attempts to verify the second factor the user has before they are locked out or deactivated in the Default value field. The exact penalty depends on the value of the “User locking time” (“UserLockoutDuration” system setting).
- Save the changes.
Set up 2FA via the authenticator app
This authentication option uses the verification code generated by an authenticator app. You can use an app of your choice, for example, Google Authenticator, Microsoft Authenticator, etc.
To set up 2FA via the authenticator app:
Activate the authenticator app 2FA method
- Click to open the System Designer.
- Go to the System setup block → Lookups.
- Open the 2FA methods lookup.
- Click the Authenticator app row → select the checkbox in the Enabled column.
- Select the checkbox in the Primary column if you want email to be the default 2FA option.
- Click .
Activate 2FA
- Click to open the System Designer.
- Go to the System setup block → System settings.
- Open the “Enable 2FA” (“Enable2FA” code) system setting.
- Select the Default value checkbox.
- Save the changes.
At this point, the users can already use 2FA. Proceed further to customize additional aspects of the functionality.
Specify the user groups to activate 2FA (optional)
- Click to open the System Designer.
- Go to the Users and administration block → Operation permissions.
- Open the “Can use 2FA” (“CanUse2FA” code) system operation.
- Specify the user groups to activate 2FA in the Operation permission detail. Learn more: System operation permissions.
Specify who can disconnect the authenticator app for the user (optional)
- Click to open the System Designer.
- Go to the Users and administration block → Operation permissions.
- Open the “Can disconnect 2FA authenticator app” (“CanReset2FA” code) system operation.
- Specify who can disconnect the authenticator app for the user in the Operation permission detail. Learn more: System operation permissions.
Set for how long the authenticator app connection code remains valid (optional)
- Click to open the System Designer.
- Go to the System setup block → System settings.
- Open the “TOTP Setup Token Ttl” (“TotpSetupTokenTtl” code) system setting.
- Specify for how long the authenticator app connection code remails valid in minutes in the Default value field.
- Save the changes.
Specify how many attempts to verify the second factor the user has before they are locked out or deactivated (optional)
- Click to open the System Designer.
- Go to the System setup block → System settings.
- Open the “The number of attempts to verify the second factor” (“SecondFactorAttemptCount” code) system setting.
- Specify how many attempts to verify the second factor the user has before they are locked out or deactivated in the Default value field. The exact penalty depends on the value of the “User locking time” (“UserLockoutDuration” system setting).
- Save the changes.