Skip to main content

Multi-Factor Authentication (2FA)

NopeSight v3.1.7 introduces enhanced Two-Factor Authentication (2FA) with advanced security features including password strength requirements, rate limiting protection, and seamless password migration flows.

Overview

Two-Factor Authentication adds multiple layers of security to your NopeSight account by requiring strong passwords, secure authentication flows, and time-sensitive codes from your mobile device when logging in. This comprehensive approach significantly reduces the risk of unauthorized access through multiple security vectors.

Enhanced Security Features

Password Security Requirements

Starting with v3.1.7, all passwords must meet enhanced security standards:

  • Minimum Length: 12 characters (increased from 8)
  • Complexity Requirements: Must include uppercase, lowercase, numbers, and special characters
  • Common Password Protection: Blocked passwords include common patterns and dictionary words
  • Sequential Pattern Detection: Prevents passwords like "123456", "abcdef", or "qwerty"
  • Real-Time Validation: Live password strength feedback during password creation and updates

Rate Limiting Protection

Advanced rate limiting protects against brute force and automated attacks:

  • Login Attempts: 5 attempts per 15 minutes, escalating to 1-hour lockout after 10 failed attempts
  • 2FA Code Attempts: 10 attempts per 15 minutes to prevent code enumeration
  • Password Changes: 3 attempts per hour for password modification operations
  • Smart Fingerprinting: Tracks attempts using IP address + User-Agent combination
  • Real-Time Feedback: Users see remaining attempts and lockout reset times

Password Migration Process

Existing users with passwords that don't meet new requirements will experience a seamless upgrade process:

  1. Automatic Detection: System identifies passwords not meeting new standards during login
  2. Migration Screen: Users are guided through a secure password update process
  3. Strength Validation: Real-time feedback ensures new passwords meet all requirements
  4. 2FA Integration: After password update, users complete login with their existing 2FA if enabled
  5. Preserved Settings: All user preferences and 2FA configurations remain intact

Setting Up 2FA

Initial Setup Process

When you log in after the v3.1.0 upgrade, you'll be prompted to set up 2FA:

  1. Setup Notification: A banner will appear indicating that 2FA setup is required
  2. Grace Period: You have 7 days to complete the setup while maintaining system access
  3. Setup Wizard: Click "Set up 2FA" to begin the configuration process

Step-by-Step Setup

Step 1: Download an Authenticator App

Before starting setup, ensure you have a compatible authenticator app installed on your mobile device:

Recommended Apps:

  • Google Authenticator (iOS/Android)
  • Microsoft Authenticator (iOS/Android)
  • Authy (iOS/Android) - Supports cloud backup
  • 1Password (iOS/Android) - If you use 1Password for password management

Step 2: Scan QR Code

  1. In the NopeSight 2FA setup dialog, a QR code will be displayed
  2. Open your authenticator app
  3. Use the app's camera or "Add Account" feature to scan the QR code
  4. The app will automatically add your NopeSight account

Step 3: Enter Verification Code

  1. Your authenticator app will immediately generate a 6-digit code
  2. Enter this code in the "Enter 6-digit code" field
  3. Click "Verify and Enable 2FA"

Step 4: Save Backup Codes

Important: After successful verification, you'll receive 10 backup codes:

Backup Codes (use only once each):
- 12345678
- 87654321
- 11223344
- 44332211
- 55667788
- 88776655
- 99887766
- 66778899
- 33445566
- 77889900

Critical Steps:

  1. Save these codes in a secure location (password manager, secure notes)
  2. Print them and store in a safe physical location
  3. Never share these codes with anyone
  4. Each code can only be used once

Using 2FA for Login

Enhanced Login Process

The login process now includes multiple security checkpoints:

  1. Initial Authentication: Enter your username and password
  2. Password Security Check: System validates password meets current security standards
  3. Password Migration (if needed): Users with weak passwords are guided through secure update process
  4. 2FA Verification: After password validation, you'll see a 2FA prompt
  5. Authenticator Code: Open your authenticator app and find your NopeSight account entry
  6. Complete Login: Enter the current 6-digit code and click "Verify"

Rate Limiting Awareness

Be aware of the security protections in place:

  • Login Attempts: Limited to 5 attempts per 15 minutes
  • 2FA Codes: Limited to 10 attempts per 15 minutes
  • Visual Feedback: The login screen shows remaining attempts and reset times
  • Escalation: Multiple failures result in longer lockout periods

Password Migration Flow

If your password doesn't meet current security standards:

  1. Migration Notice: You'll see a password update screen instead of 2FA
  2. Strength Indicator: Real-time feedback shows password strength as you type
  3. Requirements Display: Clear list of requirements with visual checkmarks
  4. Seamless Transition: After updating password, you'll proceed to 2FA verification
  5. Preserved Access: All your settings and permissions remain unchanged

API Authentication with MFA

When using the API with MFA enabled accounts:

// Login with MFA via API
const loginResponse = await fetch('https://api.nopesight.com/v1/auth/login', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    email: 'user@company.com',
    password: 'secure-password',
    totp_code: '123456'  // 6-digit TOTP code from authenticator app
  })
});

const { token, refreshToken } = await loginResponse.json();

MFA Process Flow

Step 1: Initial Authentication

The system first validates your credentials (username/password or API key):

  • Password verification against encrypted storage
  • Account status check (active, locked, suspended)
  • IP address validation if restrictions are configured

Step 2: MFA Challenge

If credentials are valid, the system requests the second factor:

  • TOTP code from authenticator app (preferred)
  • Backup code (emergency access)
  • SMS code (if configured - not recommended for high security)

Step 3: Token Generation

Upon successful MFA verification:

  • JWT token is generated with user claims and scopes
  • Refresh token is issued for session continuity
  • Session is established with defined expiration time
  • Audit log entry is created for compliance

Using Backup Codes

If you lose access to your authenticator app:

  1. On the 2FA verification screen, click "Use backup code instead"
  2. Enter one of your saved backup codes
  3. Click "Verify with backup code"
  4. Important: The used backup code will be permanently deactivated

Security Benefits

Protection Against Common Threats

  • Password Theft: Even if someone steals your password, they cannot access your account without your device
  • Phishing Attacks: Time-based codes expire every 30 seconds, making stolen codes useless
  • Data Breaches: Compromised password databases cannot be used for unauthorized access
  • Social Engineering: Attackers cannot bypass 2FA without physical access to your device

Compliance Advantages

  • SOX Compliance: Meets Sarbanes-Oxley requirements for privileged user access controls
  • HIPAA Standards: Satisfies healthcare security requirements for multi-factor authentication
  • PCI-DSS: Complies with payment card industry standards for secure access
  • ISO 27001: Aligns with information security management best practices

Troubleshooting

Common Issues and Solutions

"Invalid code" Error

Symptoms: Authentication codes are consistently rejected

Solutions:

  1. Time Sync: Ensure your mobile device's time is accurate
    • Go to Settings > Date & Time > Set Automatically
  2. Code Timing: Use codes immediately after they appear
  3. App Restart: Close and reopen your authenticator app
  4. Re-scan QR Code: Delete the account from your app and set up again

Lost Authenticator Device

Solutions:

  1. Use Backup Codes: Enter a backup code to access your account
  2. Contact Administrator: If no backup codes available, contact your system administrator
  3. Account Recovery: Administrator can reset 2FA for your account

Backup Codes Not Working

Possible Causes:

  • Code already used (each code works only once)
  • Typing errors (codes are case-sensitive)
  • Account lockout due to multiple failed attempts

Solutions:

  1. Verify you're entering the code exactly as saved
  2. Try a different backup code
  3. Contact administrator if all codes are exhausted

Time Synchronization Issues

Symptoms: Codes generated just before expiration don't work

Solutions:

  1. Wait for the next code generation cycle (30 seconds)
  2. Ensure your device time matches the server time
  3. Use network time synchronization on your device

Account Recovery

If you lose both your authenticator device and backup codes:

  1. Contact Support: Reach out to your NopeSight administrator
  2. Verification Process: You may be required to verify your identity
  3. 2FA Reset: Administrator can disable 2FA for your account
  4. Re-setup Required: You'll need to set up 2FA again immediately

Best Practices

Security Recommendations

  1. Secure Backup Codes:

    • Store in multiple secure locations
    • Use a password manager for digital storage
    • Keep physical copies in a secure location
    • Never store with your password

  2. Device Security:

    • Use device lock screens (PIN, password, biometric)
    • Keep authenticator apps up to date
    • Consider apps with cloud backup (like Authy)
    • Don't share devices with others

  3. Regular Maintenance:

    • Periodically verify your backup codes are accessible
    • Update your contact information with administrators
    • Report lost devices immediately

Operational Guidelines

  1. Multiple Devices: Consider setting up 2FA on multiple devices using apps that support cloud sync
  2. Travel Preparations: Ensure backup codes are accessible when traveling
  3. Team Coordination: Inform team leads when changing devices or phone numbers
  4. Documentation: Keep a record of when you last updated your 2FA setup

Technical Implementation

TOTP Configuration

NopeSight uses industry-standard TOTP (RFC 6238) implementation:

# Backend TOTP implementation
import pyotp
import qrcode

def setup_totp(user_email):
    """Set up TOTP for user"""
    
    # Generate secret key (base32 encoded)
    secret = pyotp.random_base32()
    
    # Create TOTP URI for QR code
    totp_uri = pyotp.totp.TOTP(secret).provisioning_uri(
        name=user_email,
        issuer_name='NopeSight'
    )
    
    # Generate QR code for easy setup
    qr = qrcode.QRCode(version=1, box_size=10, border=5)
    qr.add_data(totp_uri)
    qr.make(fit=True)
    
    return {
        'secret': secret,
        'qr_code': qr,
        'manual_entry_key': secret,
        'algorithm': 'SHA1',
        'digits': 6,
        'period': 30  # seconds
    }

def verify_totp(secret, token):
    """Verify TOTP token with time window tolerance"""
    totp = pyotp.TOTP(secret)
    # valid_window=1 allows for 30-second clock drift
    return totp.verify(token, valid_window=1)

Session Management with MFA

After successful MFA verification, the system manages sessions with enhanced security:

// Frontend session handling
class SecureSessionManager {
  constructor() {
    this.tokenExpiry = 15 * 60 * 1000;  // 15 minutes for access token
    this.refreshExpiry = 7 * 24 * 60 * 60 * 1000;  // 7 days for refresh token
    this.mfaVerified = false;
  }
  
  async establishSession(credentials, mfaCode) {
    // Step 1: Primary authentication
    const authResponse = await this.authenticate(credentials);
    
    // Step 2: MFA verification
    if (authResponse.requiresMFA) {
      const mfaResponse = await this.verifyMFA(authResponse.sessionId, mfaCode);
      
      if (mfaResponse.success) {
        this.mfaVerified = true;
        this.storeTokens(mfaResponse.tokens);
        this.scheduleTokenRefresh();
        return { success: true, session: mfaResponse.session };
      }
    }
    
    return { success: false, error: 'MFA verification failed' };
  }
  
  scheduleTokenRefresh() {
    // Automatically refresh token before expiry
    setTimeout(() => {
      this.refreshAccessToken();
    }, this.tokenExpiry - 60000);  // Refresh 1 minute before expiry
  }
}

API Integration for Service Accounts

Service accounts can use MFA with automated token management:

class ServiceAccountMFA:
    """Service account with MFA support"""
    
    def __init__(self, account_id, totp_secret, private_key):
        self.account_id = account_id
        self.totp_secret = totp_secret
        self.private_key = private_key
        
    def get_authenticated_session(self):
        """Get authenticated session with MFA"""
        
        # Generate current TOTP code
        totp = pyotp.TOTP(self.totp_secret)
        current_code = totp.now()
        
        # Create JWT assertion with MFA
        assertion = self.create_jwt_assertion()
        
        # Authenticate with MFA
        response = requests.post(
            'https://api.nopesight.com/v1/auth/service-account/token',
            json={
                'grant_type': 'urn:ietf:params:oauth:grant-type:jwt-bearer',
                'assertion': assertion,
                'mfa_code': current_code
            }
        )
        
        return response.json()['access_token']

Administrative Information

Enforcement Timeline

  • Immediate: All new users must set up 2FA during first login
  • Existing Users: 7-day grace period for 2FA setup
  • Compliance: After grace period, account access requires 2FA completion

Support Escalation

For 2FA-related issues requiring administrative intervention:

  1. Level 1: Contact your direct supervisor or team lead
  2. Level 2: Submit ticket to IT support with user verification
  3. Level 3: System administrator can reset 2FA settings

Audit and Compliance

All 2FA activities are logged for security and compliance purposes:

  • Setup and verification attempts
  • Backup code usage
  • Failed authentication attempts
  • Administrative 2FA resets
  • Token generation and refresh events
  • Service account MFA usage

Security Notice: 2FA is mandatory for all NopeSight accounts. Users who do not complete setup within the grace period will be unable to access the system until 2FA is properly configured.