While two-factor authentication brings more security to the table, it also increases the possibility that a User might accidentally be locked out of Shotgun. In order to keep the good guys up and running in the system, an Admin may need to help out from time to time. This document provides some technical details that will be important to Admins.
Two-factor authentication is currently a site-wide preference in Shotgun. If enabled, all accounts on the site will be required to use the additional security measure when logging in. During the pilot release phase, two-factor authentication can only be enabled by the Shotgun Support team. In the full release, Admins will be able to control this themselves in the Site Preferences.
When two-factor authentication is initially enabled for a site, any User with an existing Shotgun session will be logged out automatically (similar to what happens if your Shotgun site gets a new release update when a User has an existing session). This is to ensure that all Users immediately set up the additional security measure that the feature brings. We recommend clear communication with your team before turning two-factor authentication so there are no surprises.
The next time a User logs in to the Shotgun site, he/she will be guided through the two-factor authentication setup process, which will be required from that point on. Also, any new User created in Shotgun will have to set up two-factor authentication before he/she can access the site.
Helping locked-out users
In the unfortunate event that a User can't access Shotgun because of a two-factor authentication/login issue, you can reset the account to hopefully unblock him/her.
Users having two-factor authentication issues can request help through Shotgun via the Get help button on the code entry screen:
This will send an email to you and anyone else set to receive security emails for the site. These emails are driven by the Subscribe to all Security emails field on the HumanUser entity, consistent with all of the other email subscription settings. By default, anyone in the Admin permission group should have these emails on, and people can opt in/out of them based on your studio's workflow (and Shotgun field permissions).
When a User is locked out, an Admin will typically need to reset his/her credentials, since the User can't get in to update his/her own account settings anymore. Resetting a User's two-factor authentication credentials is just like resetting a User's password (if you're familiar with Shotgun's existing mechanism for this):
- Locate the User's record in Shotgun.
- Display the Password field if it isn't already.
- Click Reset Credentials.
- Make sure the Reset Two-Factor Authentication checkbox is checked.
- Click Save.
This will send an email to the User with a link that guides him/her through the process of setting up two-factor authentication again. Note that the User's password will remain the same unless the Reset Password checkbox was checked in step 4. Resetting two-factor authentication does not necessarily require the password to also be reset.
Users without backup codes
We recommend that Users keep a set of backup codes, since you never know when you might need them. We also recommend that Admins in turn pass this recommendation along to the site's Users. That said, sometimes a User can be locked out and not have backup codes. There are three main device-related scenarios to navigate:
- The User's phone is lost or stolen.
- The User doesn't have his/her phone, but it's not lost/stolen.
- The User got a new phone but didn't pair it to his/her Shotgun account.
Each of these scenarios are covered in our two-factor authentication FAQ. But in a nutshell, the User will need to have some device available in order for the resetting of the User's two-factor authentication credentials to unblock him/her. So for case 1, hopefully the User has replaced the lost/stolen phone. For case 2, perhaps there is a backup device that can be used in the interim. With case 3, there is at least the new device to rely on so a reset will address the need.
For the full release of two-factor authentication, we plan to add a feature that will allow Admins to generate backup codes on behalf of a User to help with these situations, but this isn't in place just yet. In the meantime, it will be possible for Users to lock themselves out if they don't have any backup codes so be aware of this possibility!