You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close

03: Two-Factor Authentication in the PolicyPak Portal

Beginning in May 2021, two-factor authentication (2FA) was enabled for ALL customer accounts in the Netwrix PolicyPak Portal. The portal may contain license keys and potentially other sensitive company information.

NOTE: If for some reason you do not want to use 2FA to secure access to your portal you will have an option to open a ticket with support who will assist you in completing that process.  However, disabling Portal 2FA is strongly discouraged.  In addition, only the PRIMARY user account has access to 2FA control that you'll see below.  This includes controlling which authentication method is enabled, resetting 2FA settings, and requesting that it be disabled for EVERY user on the account.

Here's what to expect the FIRST time - Primary or Secondary user - you'll be prompted for a code which will be emailed to the address you used to log in with.  

Here's the email to look for...

It is recommended that the Primary user then enable "app" 2FA for the account.  This will provide everyone with the ability to choose either email or an app (such as Authy or Google Authenticator) to authenticate their login.  

Here's how to do that.  First locate the 2FA Config tab under Your Contacts.  Next click App 2FA and click Apply.  

When you click Apply above you will be prompted for another code to authorize App 2FA enablement.

After supplying that code, click Commit Changes to complete the process.

You'll see a success message in the lower right and App 2FA will be checked, indicating it is now enabled for ALL users.

__________________________________________________________________________________________________________________________

Once App 2FA is enabled, when anyone logs in, they will get the screen shown earlier - where they can choose which method they want to authenticate with.  Email or app.  If they choose app and have not yet setup THEIR authenticator app, they will be prompted to do so.  Scan the code with the app and supply the code shown in the app.  If for any reason the QR code is not displayed properly, most apps allow the use of the alternate code that you will see displayed.

After supplying the code from the app they'll be returned to the logon screen where they will see an acknowledgement if the Authenticator app setup was successful.

When they log in and choose the authentication app method, they will be prompted to enter the code from their authenticator app.

Resetting 2FA for an INDIVIDUAL Secondary

If an individual needs to have their App 2FA reset, they can request that when logging in.  Clicking the link will send a notification to the Primary on the account.  

The Primary can then log in to the Portal and perform the reset as shown below.  Navigate to Contacts, select either Secondary or Billing, locate the individual and click Reset App 2FA.

Resetting 2FA for the Primary

If you are the Primary on the account and need to have App 2FA reset, you can do that on the same page above by selecting the Primary tab and clicking Reset App 2FA.

Resetting 2FA GLOBALLY

If you ever need to reset 2FA, you can do this by clicking Reset 2FA.  NOTE: This will reset the 2FA setting for EVERYONE.  Meaning that everyone will need to re-setup their authenticator app.

Disable 2FA

Though we strongly advise against it, you can disable 2FA completely on your account.  Do this by clicking Disable 2FA and confirming your request.  The request will be submitted on your behalf and handled by the support team.  You will hear from them when the request is completed.

You will get a confirmation email anytime 2FA is disabled for your account.  NOTE this is for the entire "account" so 2FA will be disabled for ALL users/contacts as indicated below.

Looking in your portal afterwards, you'll see that 2FA is entirely disabled - neither box is 'checked'.  If you want to re-enable it at any time, simply click the 2FA you want to enable and click Apply.  Since no 2FA is active at this moment you won't be requested to supply a code to re-enable it.  It will just be immediately enabled and everyone will once again be prompted to supply a code received via email or from their app.  

NOTE:  In this particular scenario, re-enabling, if anyone had app 2FA previously "configured" (had scanned the QR code) then that code will still work once again.

  • 1129
  • 08-Sep-2022
  • 3935 Views