Two-factor authentication overview

Here you can find how two-factor authentication works in Jive communities.

Two-factor authentication (2FA) adds a second step to the user authentication procedure used to make sure that the person trying to gain access to the community is the actual user.

About 2FA in Jive

Jive uses the Time-based One-time Password Algorithm (TOTP) algorithm (RFC 4226) when providing 2FA for your community. This algorithm is supported by most authentication providers, such as Google Authenticator and Authy.

2FA affects nearly all user types, including internal users (who use the employee login), federated users, and external contributors. The only exception is the users using SSO login — their identity security is ensured by the SSO provider.

2FA configuration

The two-factor authentication configuration includes the settings for TOTP 2FA as well as the Jive-specific parameters.

The TOTP 2FA configuration includes the time step, grace window, the code length, the device token lifetime, and the issuer name.

Specifically for your community, 2FA can target only a particular user group by group ID or the entire community. Additionally, enabling 2FA disables the basic authentication by default; for more information, see 2FA and API access.

User ability to switch devices used for 2FA is also determined by the setup. Administrators can unpair user devices form the User Summary page in the Admin Console, without entering the 2FA verification code. Users themselves are able to unpair their devices only if it is allowed for the community. Besides, self-served unpairing requires users to authenticate with the password and verification code.

2FA for users

To set up 2FA for their user account, users need to install an authentication app on their mobile device. Jive supports Google Authenticator and Authy but any other authenticator with the TOTP support should also work.

Users are required to set up 2FA on their accounts on the next login after 2FA is enabled. They also pass 2FA for the first time as the second step during setup. Note that Jive uses the primary user email for authentication and users are not required to enter their email.

Re-authenticating is required when users change their password or if they want to change the device they use for authentication.

Generally, a user can switch devices by removing the device on the Preferences page, and then authenticating themselves on the next login. Unpairing the employed device requires entering the user password and the 2FA verification code. If a user cannot unpair the devices themselves, an administrator can do it for them.

2FA and API access

When 2FA is enabled, the basic authentication is disabled by default. In this case, the API requests must use the OAuth authentication. An incorrectly authenticated request returns HTTP 401 Unauthorized response.

Although not recommended with the 2FA enabled, the basic authentication can be enabled for the community thus allowing API requests authenticated with a user name and password only.

For more information about API requests authentication, see the Jive API.

2FA logging

Jive logs the successful and failed login events as required by system configuration for authentication logging. For more information, see Using application logs.