How to manage TOTP authentication on CloudFerro Cloud
In order to use your CloudFerro Cloud account, you need to set a password, and an additional factor of authentication. For the latter, the TOTP algorithm is being used. In this article you will learn how to manage your TOTP configuration.
What Are We Going To Cover
Important information about TOTP
Entering the TOTP management console
Removing the TOTP secret key
Adding a new TOTP secret key
Contacting customer support
Prerequisites
No. 1 Account
You need a CloudFerro Cloud account: https://horizon.cloudferro.com
No. 2 2FA set on your account
During account initialization, you will be prompted to configure 2FA TOTP software. You can, for instance, use one of the following articles for that purpose:
TOTP - important information
The 2FA algorithm used on CloudFerro Cloud involves generating a 6-digit TOTP code every 30 seconds using the secret key known both to the software used by the user and by the authentication server. That code is valid until some time after a new code has been generated. During this generation, no data needs to be transferred between the authentication server and the software used by the user - the user needs to enter the key into the correct field.
During 2FA configuration, this secret code is presented to the user and they are able to provide it to the device of their choice. It can also be provided to multiple devices at the same time. The server does not know which devices received that key, and therefore, cannot differentiate between different devices using the same key.
Because of that, the 2FA management console presented in this article does not provide a list of devices used for 2FA, but rather secret keys used for that purpose. If you delete a secret key, all devices which rely on it for authentication will no longer be able to do that.
In this article, the term secret key means the above mentioned key used for generating 6-digit codes. It can be stored on multiple devices, or even on multiple pieces of software on the same device.
Entering the TOTP management console
Navigate to https://identity.cloudferro.com/auth/realms/CloudFerro-Cloud/account/#/security/signingin - you should get a website similar to this:
Note
On the screenshots in this article, the name of the user was blurred for privacy reasons.
The section Two-factor authentication should contain your currently used secret code.
Removing the TOTP secret key
If you no longer wish to use a secret key, you can remove it. To do that, click Remove. You will receive the prompt on the screenshot below. Note that if you didn’t choose the name otp for your secret key, the name you set will be shown instead.
To confirm, click Continue. The entry should disappear from the list:
Important
Since 2FA is mandatory on CloudFerro Cloud, if you delete your last secret key and do not add a new one, you should be prompted for TOTP configuration during next login.
Adding a new TOTP secret key
You can add a new secret code to your account.
Warning
You should only have one secret key attached to one CloudFerro Cloud account at the same time. If you have multiple keys, you will be able to use only the earliest one for the OpenStack CLI and generating a Keycloak token for access. Others will only be able to authenticate to the Tenant Manager and Horizon dashboard.
Click Set up authenticator application. If you can’t see this link, use the button containing three dots:
You will get a prompt for setting your application like the you used during account creation:
Proceed in the same way as during account creation - Prerequisite No. 2 above contains articles which can help. If you want to use multiple devices for that secret key, add it to them all before finishing the configuration. Once you’re ready, enter the 6-digit TOTP code to complete from one of your devices and complete the process.
Of course, if at least one of devices used for that secret key allows you to extract that secret key, or you backed it up somewhere in a readable form, you will be able to add your secret key to more devices in the future without having to reconfigure it.