Two Factor authentication (2FA) for Red Hat Customer Portal

Solution Verified - Updated -

Environment

Issue

  • Is two-factor authentication (2FA) available for Red Hat Customer Portal and Red Hat Hybrid Cloud Console?

  • I want to enable two-factor authentication (2FA) for my Customer Portal login ID

  • I want to to require two-factor authentication for all users on my account (Organizational 2FA)

  • I want to set up recovery codes

  • I have already enabled two-factor authentication (2FA) but I want to revoke it

  • When I try to access to Customer Portal, 1-time code is being asked but I am not able to get 1 time code as I do not have access to the authenticator

Resolution

Two-factor authentication (2FA) is currently available for customers in two ways:

  • Organizational 2-factor authentication - All users that belong to the organization account will be required to use a second factor each time they authenticate. Users will be prompted to enable 2FA upon the first log in after the organization account is enrolled.

  • Individual opt-in 2-factor authentication - users choose to enable 2FA for their individual login after authenticating.

Note: The current implementation of 2FA only applies to applications using a browser-based authentication flow on external SSO. It does not apply to command line authentication flows. Users utilizing these services will still be able to log in with username and password, without a One Time Password (OTP).

  • Currently, the RH implementation of 2FA requires that a user logging in possesses a mobile phone capable of installing either the FreeOTP or Google Authenticator application. Hardware and SMS tokens and other mobile authenticator apps are not supported at this time. Customers who must authenticate in a secure environment that does not enable them to carry a mobile device should not enable 2FA.

I want to enable two-factor authentication (2FA) for an individual Customer Portal login ID

Users can enable 2FA for their login ID via the Signing in page. See the product documentation for detailed information on set up.

I want to set up recovery codes

  • All users who enable 2FA for their log in ID should set up recovery codes for use in the event they do not have access to their mobile device in order to produce a one-time code. The process for setting up recovery codes is outlined in the product documentation

I am an Organization Administrator of an account. I want to set up organizational 2-factor authentication for my account so that all users under the same account must use two-factor authentication (2FA)

  • To enable organizational two-factor authentication, visit the Identity & Access Management area on the Hybrid Cloud Console beta site. While the UI for enabling this feature is on Hybrid Cloud Console, this feature affects log in on any Red Hat web property integrated with sso.redhat.com (Customer Portal, Partner Connect, Red Hat Developers, Hybrid Cloud Console itself, and many more). Refer to the product documentation for detailed information.

I am not sure if the login ID I am using is enabled with two-factor authentication (2FA)

  • To see if the login ID is configured with two-factor authentication, login as the login ID in question. After entering your password, if you are not prompted for a 1-time code, the login is not configured with two-factor authentication.

I have already enabled two-factor authentication (2FA) and I want to revoke/remove it, or to add a new authenticator

  • You can revoke the current authenticator and/or add a new one from the Signing in page.

You will no longer be asked 1-time code.

Users on accounts whose Organization Administrator has enabled two-factor authentication at the organization level as per above, will be prompted to configure 2FA for their user upon their next log in attempt.

I do not have access to the authenticator and have not set up recovery codes. I am not able to login to Customer Portal

  • You can revoke the two-factor authentication protection on your Red Hat account when your authenticator device is lost and you have no recovery codes available, or when you have no other way to log in to your account with two-factor authentication enabled.
  • Red Hat Customer Service can do this immediately with a phone call or with a seven-day email response
  • All requests to revoke two-factor authentication must be made by phone. You cannot revoke two-factor authentication with an email request or other online request.
    Please note that account verification through a phone call from Red Hat Customer Service to your account phone number listed under login ID is the only method approved by the Red Hat security teams for quickly allowing two-factor authentication settings to be revoked. There are no exceptions to this process.
  • When you cannot accept a call to the phone number of record for your account, the Red Hat Customer Service team sends an email notification to the email address associated with your account. The email notifies the account holder that two-factor authentication will be revoked in 7 days. You can reply to the notification email if you decide you do not want two-factor authentication revoked.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments