To provide 2FA functionality the app included with the RAP server called "2-Factor Authentication" needs to be enabled.  Once the app is enabled it is enabled for all users by default but each user has to opt-in.  


OAuth 2.0 is the recommended authentication method for clients.  The OAuth 2.0 app is enabled on all RAP servers as default.  When using the OAuth 2.0 App, the RAP-Sync Desktop clients will open the login page in the system web browser. After entering the regular credentials, users will see a second page, where they need to enter the second factor.


App Passwords / Tokens

Without the OAuth 2.0 App, users need to log in to their RAP account in a regular web browser first, then create an app password or tokens, which can then be used in the RAP-Sync Desktop clients.


  1. Turn on the 2 Factor app as the admin
    1. Login as your admin account and go to the drop down menu and select settings
    2. Go to the admin -> Settings -> Apps
    3. Press "show disabled apps"
    4. Turn on 2 Factor App
  2. Have each user turn on ToTP Second-factor Auth
    1. Once logged in go to "Security" of their Settings in their profile pull down menu
    2. Turn on Two Factor with the check box and scan the QR code with your Authenticator App of choice like the Google Authenticator
       
    3. Verify the code by entering it with the "Verify" button.

  3. Now when login onto the RAP server you will get the verification code after entering your password.




Troubleshooting

Tasks for the User

Because the user has to opt-in they must turn it on if required as above


Second Factor is Inaccessible

In case a user loses access to the second factor, e.g. by breaking or losing the phone with two-factor SMS/app verification, the user is locked out. To give the user access to the account again, an admin can temporarily disable the two-factor check for that user via the impersonation feature in the admin's menu.  As an admin, impersonate the affected user, go to their settings, and turn off ToTP 2 factor.   Log out of the impersonation session and have the user re-login and set the 2-factor back to verify.