In this article, you will learn how to use Two-factor authentication in ftrack Studio.
ftrack Studio supports 2FA (Two-factor authentication), which can be enabled for the login process. Two-factor authentication is a multi-factor identity verification type that enhances account security by requiring a second factor to authenticate the user beyond the account password.
Logging in with 2FA
When logging in with 2FA, you first encounter the standard ftrack login screen, where you must enter your username with password. ftrack verifies these credentials against the ftrack database or LDAP source. If the credentials are valid, a new screen displays, asking to enter an OTP (one-time-password, a temporary and secure PIN code).
|Tip: To generate the OTP, you can use different authentication applications (Apps) – such as Authy, Duo Mobile, or Google Authenticator.
If the OTP is valid, it gets accepted by ftrack, and your Studio login is complete, granting you access to the service.
|Please note: 2FA is available only to users of ftrack and LDAP types. Users logging in via Google or SSO can already use 2FA via their identity provider.
Enforcing 2FA on all accounts [Only available to Enterprise customers]
You can enable ftrack Studio's 2FA feature per account or enable it for all users, forcing all accounts to log in using 2FA.
To enforce 2FA for all accounts, go to System settings > Security > Settings and toggle on the Enforce two-factor authentication checkbox.
When the Enforce two-factor authentication checkbox is toggled on for a user, they will be asked to enable 2FA immediately following their subsequent login (with username and password) or when they reload their ftrack Studio webpage.
Step 1: To enable 2FA, the user must download and install an app, such as Authy, Duo Mobile, Google Authenticator, or any other desktop or web-based TOTP application (Time-based One Time Password).
Step 2: Once the app is downloaded to their personal device, the user needs to open it and scan the QR code displayed on the screen.
Step 3: The user will receive a verification code they must enter into the ftrack Studio dialogue box where it says Insert code...
Once the 2FA is enabled, the user will receive a confirmation message:
Enabling 2FA on specific accounts
If the Enforce two-factor authentication setting is not enforced for all accounts, it will be optional for each ftrack Studio account.
To enable 2FA per account, the user must go to My account > Security settings and click on Enable 2FA in the Two-factor authentication window.
Next, ftrack Studio requests the user to follow the same procedure as detailed above in Logging in with 2FA. Download and install a preferred app, scan the QR code, and verify using the received code.
When 2FA is enabled, the user will receive a confirmation message.
During the user's subsequent login, after they have entered their initial username and password, they will see this screen, which requests a verification code from the authentication app of choice.
You can disable 2FA on your account via My account > Security settings by clicking on the Disable 2FA button in the Two-factor authentication window.
2FA can be disabled for other users by an administrator in System settings > Users and groups. Using the 2FA column or opening the Edit option in the User profile and unchecking the 2FA checkbox.
2FA Backup codes
If your device containing the authentication app is lost or unavailable, you can utilize backup codes instead.
Please note: This is a preemptive measure – backup codes must be accessed, downloaded, and stored at a time when the device is still available.
Tip: We recommend storing your codes somewhere safe for later use. As with your authentication codes, the backup codes are only usable to others if they also have access to your password.
Enter a code from the authentication app to proceed.
The backup codes are then generated and can be copied or printed for safe storage and use if your device/authentication app is unavailable.
Backup codes come in sets of ten. You can generate a new set at any point, which will make the old set inactive.
How do I log in if the administrator at my facility has lost their 2FA device and backup codes?
How do I log in with 2FA if I’ve lost my phone?
You can access and use backup codes if you have them stored. Alternatively, ask an administrator to disable 2FA on your account from System Settings.
How to get new backup codes if I’ve lost them?
Head to your account page. You can generate ten new backup codes for safe storage. These codes will automatically replace the previously generated backup codes.
How can I move my 2FA to the new phone?
Login to ftrack Studio and head to My account, where you can disable 2FA for your account using your old phone. You can then enable it again using your new phone.