Navigation
You were redirected from a different version of the documentation. Click here to go back.
  • Security >
  • Manage Two-Factor Authentication for Ops Manager

Manage Two-Factor Authentication for Ops Manager

On this page

Overview

When enabled, two-factor authentication requires a user to enter a verification code to log in and to perform certain protected operations. Operations that require two-factor authentication include:

  • restoring and deleting snapshots,
  • stopping and terminating Backup for a sharded cluster or replica set,
  • inviting and adding users,
  • generating new two-factor authentication backup codes, and
  • saving phone numbers for two-factor authentication.

Administrators with access to the Ops Manager Application‘s conf-mms.properties configuration file can enable two-factor authentication through the file’s mms.multiFactorAuth.level setting. Administrators can also enable two-factor authentication to use Twilio to send verification codes to users via SMS or voice call.

Users configure two-factor authentication on their accounts through their Ops Manager user profiles, where they select whether to receive their verification codes through voice calls, text messages (SMS), or the Google Authenticator application. If your organization does not use Twilio, then users can receive codes only through Google Authenticator.

Administrators can reset accounts for individual users as needed. Reseting a user’s account clears out the user’s existing settings for two-factor authentication. When the user next performs an action that requires verification, Ops Manager forces the user to re-enter settings for two-factor authentication.

Procedures

Enable Two-factor Authentication

1

Open the Ops Manager Application‘s conf-mms.properties file.

The conf-mms.properties file is located in the <install_dir>/conf/ directory. See Ops Manager Configuration for more information.

2

Set the mms.multiFactorAuth.level property to OPTIONAL, REQUIRED, or REQUIRED_FOR_GLOBAL_ROLES.

mms.multiFactorAuth.level=REQUIRED

When mms.multiFactorAuth.level is OPTIONAL, users can choose to set up two-factor authentication for their Ops Manager account.

When mms.multiFactorAuth.level is REQUIRED, all users must set up two-factor authentication.

When mms.multiFactorAuth.level is REQUIRED_FOR_GLOBAL_ROLES, users who possess a global role must set up two-factor authentication, while two-factor authentication is optional for all other users.

3

Restart the Ops Manager Application.

sudo service mongodb-mms start

Enable Twilio Integration

1

Configure Twilio integration.

Configure Twilio integration through the Twilio settings in the Ops Manager Application‘s conf-mms.properties file.

2

Restart the Ops Manager Application.

For example:

sudo service mongodb-mms start

Reset a User’s Two-factor Authentication Account

Reseting the user’s account clears out any existing two-factor authentication information. The user will be forced to set it up again at the next login.

You must have the global user admin or global owner role to perform this procedure.

1

Open Ops Manager Administration.

To open Administration, click the Admin link in the Ops Manager banner.

2

Select the Users page.

3

Locate the user and click the pencil icon on the user’s line.

4

Select the Clear Two Factor Auth checkbox.