Two Factor Authentication

Overview

Two-Factor Authentication (2FA) adds an extra layer of security for operators logging into Integriti. After entering their username and password, operators must provide a time-based one-time password (TOTP) code generated by an authenticator app on their smartphone or tablet.

Integriti supports two 2FA methods:

Method	Description	App
TOTP (Time-based One-Time Password)	Standard 6-digit rotating code.	Google Authenticator, Microsoft Authenticator, or any TOTP-compatible app.
Duo Push	Push notification to approve/deny login.	Duo Mobile App (Android/iPhone).

2FA can be enabled per-operator (voluntary enrolment) or enforced via a Security Policy (mandatory for all covered operators). 2FA works with Integriti System Designer, GateKeeper, the Web Interface, Active Directory Integration, and Single Sign-On.

Document version: November 2022.

Prerequisites

• Integriti System Designer with permission to edit System Settings.
• A smartphone or tablet with a compatible authenticator app:
  • Google Authenticator (Android/iOS)
  • Microsoft Authenticator (Android/iOS)
  • Duo Mobile (Android/iPhone)
• The Integriti server’s system time must be synchronised with an NTP server (TOTP codes are time-based).

Step-by-Step

Enable 2FA in System Settings

1. Open Integriti System Designer.
2. Go to System → System Settings.
3. Under Configuration, locate Two-Factor Authentication Login Mode.
4. Select at least one method: TOTP and/or Duo Push.
5. Save the settings.

Enrol an Operator for TOTP 2FA

1. Go to Administration → Operators.
2. Edit the operator to enrol.
3. Click the Enrol button to open the 2FA enrolment dialog.
4. If multiple methods are enabled, select TOTP / Google Authenticator.

Method A: Scan QR Code (Recommended)

5. Open your authenticator app (e.g. Google Authenticator).
6. Tap + and select Scan a QR code.
7. Scan the QR code shown in the Integriti enrolment dialog.
8. A new “Integriti 2FA” account appears in the app.
9. Enter the 6-digit code from the app into the enrolment dialog.
10. Click OK.

Method B: Manual Entry (No Camera)

5. In Google Authenticator, select Enter a setup key.
6. Enter the Account name, Key, and Type of key from the enrolment dialog.
7. Press Add.
8. Enter the 6-digit code from the app into the enrolment dialog.
9. Click OK.

Important: Scan the QR code with ALL devices you plan to use for 2FA BEFORE clicking OK. Once enrolment is complete, you cannot add additional devices without deleting and re-enrolling.

Enrol an Operator for Duo Push 2FA

1. Edit the operator and click Enrol.
2. Select Duo Mobile.
3. Select your device type.
4. Open the Duo Mobile App and scan the QR code.
5. A new Integriti 2FA account appears in the app.
6. Click OK — the phone receives a Push Notification.
7. Accept the request in the Duo Mobile app.
8. The operator is now enrolled.

Generate an Emergency Backup Code (Optional)

1. From the Edit Operator window, click Generate Backup Code.
2. Store the backup code in a secure place (password-protected file, safe, etc.).
3. The backup code allows one-time login without a 2FA device.
4. Generating a new backup code invalidates any previous one.

Enforce 2FA via Security Policy

1. Go to Administration → Security Policies.
2. Open the policy to enforce 2FA for.
3. Tick the Enforce 2FA checkbox.
4. Save the policy.
5. All operators covered by the policy will be prompted to enrol for 2FA on their next login. If they cancel the enrolment dialog, the program will close.

Verification

Log in with TOTP

1. Log into Integriti with username and password.
2. The “Enter Two-Factor Authentication Code” dialog appears.
3. Open your authenticator app and enter the 6-digit code.
4. Click OK — you should be logged in.

Log in with Duo Push

1. Log into Integriti with username and password.
2. Approve the push notification on your Duo Mobile app.

Log in with Emergency Backup Code

1. At the 2FA prompt, click Enter Backup Code.
2. Enter your backup code.
3. You are logged in — the code is now expired.

Troubleshooting

Symptom	Resolution
2FA code rejected	TOTP codes are time-based. Ensure both the Integriti server and your personal device have accurate system time synchronised via NTP. If the problem persists, have an administrator reset your 2FA enrolment so you can re-enrol.
Lost 2FA device	Use your emergency backup code (if generated). If no backup code exists, contact an administrator to reset your 2FA enrolment data.
No backup code, all operators locked out	Contact Inner Range Technical Support for assistance.
Operator cannot enrol (QR code not scanning)	Use the manual entry method — enter the Account name, Key, and Key type shown in the enrolment dialog.
Enforcement prompt keeps appearing	The operator is covered by a Security Policy with Enforce 2FA enabled. They must complete enrolment or the program will close.
Backup code already used	Backup codes are single-use. Generate a new backup code after logging in.

Related Pages

• Operator Authentication Modules — Built-In, Active Directory, and OAuth authentication configuration.
• Active Directory Operator Authentication — AD-based operator login.
• Integriti Operator Guide — Operator management overview.
• Integriti System Configuration — System Settings reference.