To provide 2FA functionality the app included with the RAP server called "2-Factor Authentication" needs to be enabled. Once the app is enabled it is enabled for all users by default but each user has to opt-in.
OAuth 2.0 is the recommended authentication method for clients. The OAuth 2.0 app is enabled on all RAP servers as default. When using the OAuth 2.0 App, the RAP-Sync Desktop clients will open the login page in the system web browser. After entering the regular credentials, users will see a second page, where they need to enter the second factor.
App Passwords / Tokens
Without the OAuth 2.0 App, users need to log in to their RAP account in a regular web browser first, then create an app password or tokens, which can then be used in the RAP-Sync Desktop clients.
- Turn on the 2 Factor app as the admin
- Login as your admin account and go to the drop down menu and select settings
- Go to the admin -> Settings -> Apps
- Press "show disabled apps"
- Turn on 2 Factor App
- Login as your admin account and go to the drop down menu and select settings
- Have each user turn on ToTP Second-factor Auth
- Once logged in go to "Security" of their Settings in their profile pull down menu
- Turn on Two Factor with the check box and scan the QR code with your Authenticator App of choice like the Google Authenticator
- Verify the code by entering it with the "Verify" button.
- Once logged in go to "Security" of their Settings in their profile pull down menu
- Now when login onto the RAP server you will get the verification code after entering your password.
Troubleshooting
Tasks for the User
Because the user has to opt-in they must turn it on if required as above
Second Factor is Inaccessible
In case a user loses access to the second factor, e.g. by breaking or losing the phone with two-factor SMS/app verification, the user is locked out. To give the user access to the account again, an admin can temporarily disable the two-factor check for that user via the impersonation feature in the admin's menu. As an admin, impersonate the affected user, go to their settings, and turn off ToTP 2 factor. Log out of the impersonation session and have the user re-login and set the 2-factor back to verify.
