This page describes how to enable two-factor authentication for native Domino-managed accounts in version of Domino prior to 3.6. If you’re running Domino 3.6+ with the new Keycloak authentication service, you should visit admin.dominodatalab.com to learn about authentication options in Keycloak.
What is two-factor authentication?
Two-factor authentication (2FA) is an optional but highly-recommended extra layer of security that requires you to have access to your phone or mobile device when logging in to Domino. This means even if your password is compromised, only you have access to your account.
Here’s how it works:
- When you sign in, you’ll be asked to enter a six-digit authentication code in addition to your password
- You’ll receive the authentication code from a secure app on your mobile device
- Enter that code in Domino to log in
How do I set up two-factor authentication for my account?
0. Before you can set up 2FA on your account, you’ll need to download and install a Time-based One-Time Password (TOTP) app on your mobile device to generate time-sensitive authentication codes. Domino 2FA can be used with most TOTP applications.We recommend using Google Authenticator for both iOS (App Store) and Android (Google Play).
Once you’ve installed a TOTP app, you’re ready to enable two-factor authentication on Domino.
Note: If an Administrator has required the use of 2FA for your account, you’ll immediately be directed to Step 4 upon log in.
In the upper-right corner of any page, click your username, then click Account Settings
In the sidebar, click Two-Factor Authentication
Note: If this option isn’t in your sidebar, contact your Administrator to enable this feature.
Under Two-Factor Authentication, click Set up an authenticator app
On the Enable Two-factor authentication page, scan the QR code with your TOTP mobile app to configure your app.
If you can’t use the QR code, click enter this text code to view a secret key that you can manually enter into your app. Remember to select time-based in your app when using the manual key entry.
Once your TOTP app is configured, it will generate a new authentication code every 30 seconds. In Domino, enter one of these codes and click Submit.
From now on, when you log in to Domino, just open your app and enter the authentication code along with your password.
For additional security, after 6 consecutive failed authentication attempts your account will have to be unlocked by an administrator.
What if I lose access to my device or TOTP app?
After enabling two factor authentication, you’ll receive 10 9-digit recovery codes. Your recovery codes will allow you to get back into your account if you lose access to your phone or delete your authentication app.
Save these recovery codes in a safe place. You can find them again, or reset them, by going to Account > Two-Factor Authentication > View Recovery Codes.
You can use any of these codes to log in to your account, but you can only use each code once.
What if I lose my recovery codes?
If you don’t have access to your recovery codes, an Admin can manually disable 2FA for your account.
Why can’t I get my authentication code through SMS?
The National Institute of Standard and Technology (NIST) discourages the use of SMS or voice based 2FA. For details, see section 18.104.22.168 of their report here.
Is there a way to require that all users enable two-factor authentication?
- Yes, as a Domino system administrator, add a
com.cerebro.domino.twoFactorAuthentication.isRequiredkey to the Domin
- central configuration with a value of
For more info on how Domino thinks about security and other features we offer, check out these additional resources: