Enforcing two-factor authentication (2FA) in GravityZone Cloud FAQ
This article describes two-factor authentication (2FA) in GravityZone and provides answers to frequently asked questions about it.
Bitdefender is taking a step to further increase your protection with two-factor authentication (2FA) required for all GravityZone Cloud accounts starting April 12, 2022.
Why we are changing the way you log in
Passwords are one of the most common targets to attackers. Using a second step to sign in makes your account more secure.
Two-factor authentication is a security feature that requires users to confirm their identity by entering a code sent to another device such as a mobile phone after signing in. This reduces the risk of account compromise, even if a password is stolen or cracked.
Two-factor authentication has been available in GravityZone for some time with many users taking advantage of it. From April 12, 2022, two-factor authentication will become mandatory for all GravityZone Cloud users.
Important
Bitdefender will not enforce two-factor authentication (2FA) to GravityZone accounts using single sign-on (SSO).
How two-factor authentication works
After you enter your password to log into GravityZone Control Center, you need to enter a code from the authentication app configured as a second factor on your device. Bitdefender supports Google Authenticator, Microsoft Authenticator, or any two-factor TOTP (Time-based one-time password algorithm) compatible authenticator.
In GravityZone, you can enable it for your account and for any other accounts that you manage.
Important
In GravityZone, the Trust this browser option allows you to skip entering the six-digit code every time you log in up to 90 days. Learn more in the GravityZone release notes.
Remember this device has been renamed Trust this browser after the GravityZone July 2022 release (version 6.26.2-2). Learn more.
In the current implementation (before April 12, 2022), users can disable two-factor authentication. Bitdefender will remove this option when 2FA becomes mandatory.
What authenticator can I use?
Bitdefender supports Google Authenticator, Microsoft Authenticator, or any two-factor TOTP (Time-based one-time password algorithm) authenticator compatible with the standard RFC6238, that combines the secret key with the device’s current timestamp to generate the six-digit code. The authenticator can run on a smartphone or other device, such as a personal computer.
Please note that the timestamps on both the device and the GravityZone Control Center must match for the six-digit code to be valid. To avoid any timestamp synchronization issues, we recommend enabling the automatic date and time setting on your device.
How long does it take to sign in with 2FA?
Two-factor authentication adds one more step, but it is usually fast and easy. Many other applications have implemented 2FA and you probably use it for some of your online accounts.
Do I have to use 2FA every time I log in?
No. By default, you need to use two-factor authentication at every login, but starting April 12 you will have the new option Trust this browser, which allows you to skip entering the six-digit code up to 90 days.
GravityZone administrators will be able to activate this option and specify the time period in GravityZone in the company authentication settings. After the interval expires, you will need to use your device once again. Learn more in the GravityZone release notes.
Can I disable 2FA?
You will not be able to disable two-factor authentication after Bitdefender enforces it.
What do I do if I erased my phone?
In case you erased your phone, you may reinstall the authentication app and add your account by using the QR code or the secret key that you have received when setting up two-factor authentication.
What do I do if my phone is lost or stolen?
To prevent someone else from using your phone as a connecting device, contact your GravityZone administrator to reset your account login. After reset, you will be able to reconfigure two-factor authentication using your new device.
How does 2FA work if I do not have my phone with me?
If two-factor authentication is enforced to your company, you need an authenticator to log in. In case you do not have your phone nearby, contact your GravityZone administrator to reset your account so that you can use another device to log in, including a computer.
When will Bitdefender enforce 2FA?
We will make an announcement seven days before enforcing two-factor authentication on April 12, 2022. If you already use two-factor authentication by then, the change will not affect you.
Does this change affect accounts that use a different identity provider for logging in?
For GravityZone accounts that use an identity provider to log in, 2FA cannot be enabled and will not be enforced in GravityZone. Therefore, no actions are necessary for these accounts.
Can I use an email address to authenticate instead of a phone?
No. Two-factor authentication in GravityZone supports only login with a smartphone or another device compatible with a TOTP authenticator (for example, a computer).
As alternate solution, if you are a GravityZone administrator, you can enable single sign-on (SSO) for other accounts instead of using 2FA. Read more about SSO here. However, you cannot enable SSO for your own account and you still need to use 2FA.
How this change affect customers who use API?
After Bitdefender enforces two-factor authentication, the API calls that have previously set the parameter enforce2FA
to false
for createCompany
and updateCompanyDetails
methods will be automatically set to true
. This change will not return an error message. This way we ensure backwards compatibility.
A new parameter, named skip2FAPeriod
, will be available for createCompany
and updateCompanyDetails
methods. The new parameter is equivalent to the “remember this device” option and it allows setting a time interval in days (0, 1, 3, 7, 14, 30, 90) for skipping two-factor authentication for the entire company. The parameter skip2FAPeriod
will be optional and will have the default value set to 0
(zero days, meaning disabled).
How do I configure an authenticator on my computer?
In case you do not have a smartphone, you can use your computer as second factor to log in to GravityZone. All you need is to run a TOTP (Time-based one-time password algorithm) authentication app that provides you the six-digit code required after entering your credentials. Here are the instructions for two such apps on Windows:
TOTP Manager
WinAuth
When configuring the authenticator, make sure you enable 2FA for your GravityZone account. You need the secret key (or the QR code) from the 2FA configuration page to set up the authenticator, which in turn provides the six-digit code to complete the process in GravityZone. For details on how to enable 2FA for your account, refer to Manage your account.
TOTP Manager
TOTP Manager is a authentication app available in Microsoft Store. To use it, make sure you have a Microsoft account and follow these steps:
Connect to Microsoft Store with your Microsoft account.
Search for TOTP Manager and click Get to install it on your computer.
Click Open in Microsoft Store or run TOTP Manager directly from your computer.
In the TOTP Manager interface, click +.
In the configuration page, fill in the these fields:
For Account, enter your GravityZone username (in the format username@company).
For Secret, copy and paste the secret key displayed in the 2FA configuration page in GravityZone.
Keep the secret key in a safe place for future use because it is essential for your access into GravityZone.
For Digits, select 6.
For Time Period, select 30 seconds.
For Algorithm, select SHA-1.
Click Create! to generate the six-digit code.
WinAuth
This app is an open-source authenticator for Google, Microsoft, and several other services. You do not need a specific account to use it, just follow these steps:
Download the ZIP file from here and extract its content.
There is nothing to install, but only one executable file to run.
Double-click WinAuth.exe.
If you receive an error about missing .NET, make sure you have installed .NET Framework from here.
In the WinAuth window, click Add.
Choose Authenticator from the list.
In the configuration window, at step 1, copy and paste the secret key displayed in the 2FA configuration page in GravityZone.
Keep the secret key in a safe place for future use because it is essential for your access into GravityZone.
At step 2, select the Time-based radio button.
Click OK to generate the six-digit code and click OK one more time to save the authenticator.
When asked how to protect your WinAuth authenticator, enter a password to encrypt it. You can also choose to encrypt the data so that the WinAuth file will be usable only on your computer and only by your account.
Next time when you open WinAuth.exe you must enter the password you have configured at this step.
Click OK to save your configuration.
Now the WinAuth window displays your authenticator and the six-digit code for 30 seconds. When the time expires, click the Refresh icon to display a new code.
Useful tips:
Right-click on the authenticator to change its name, view the secret key, or remove the authenticator.
Click the cog icon for settings. For example, select the option to display the authenticator always on top of other programs, which may be useful when logging in to GravityZone.
How do I check that two-factor authentication works?
After configuring two-factor authentication for your account, log out from GravityZone and log in again. You have to enter your credentials and the six-digit code from the authentication app. Two-factor authentication will work the same way after becoming mandatory and you do not need to do anything else.
If for some reason you cannot use the authentication app to provide the six-digit code, configure another app using the same secret key that you have saved when enabling 2FA for your account.
If you cannot use the authentication app and you also have lost the secret key, contact your GravityZone administrator who has access to your account and ask for 2FA reset. After reset, when trying to log in to GravityZone, you will be prompted to reconfigure 2FA with a new secret key.
What do I do if I changed my phone?
If you changed your phone, contact your GravityZone administrator to reset your account login. After reset, you will be able to reconfigure two-factor authentication using your new device.
Video
Watch a full video tutorial on the topic here: