This page describes how to enable two-factor authentication for native Domino-managed accounts in version of Domino prior to 3.6. If you’re running Domino 3.6+ with the new Keycloak authentication service, you should visit admin.dominodatalab.com to learn about authentication options in Keycloak.
What is two-factor authentication?
Two-factor authentication (2FA) is an optional but highly-recommended extra layer of security that requires you to have access to your phone or mobile device when logging in to Domino. This means even if your password is compromised, only you have access to your account.
Here’s how it works:
When you sign in, you’ll be asked to enter a six-digit authentication code in addition to your password
You’ll receive the authentication code from a secure app on your mobile device
Enter that code in Domino to log in
How do I set up two-factor authentication for my account?
Before you can set up 2FA on your account, you’ll need to download and install a Time-based One-Time Password (TOTP) app on your mobile device to generate time-sensitive authentication codes. Domino 2FA can be used with most TOTP applications.We recommend using Google Authenticator for both iOS (App Store) and Android (Google Play).
After you’ve installed a TOTP app, you’re ready to enable two-factor authentication on Domino.
In any page, click your username, then click Account Settings
In the sidebar, click Two-Factor AuthenticationNote
Under Two-Factor Authentication, click Set up an authenticator app.
On the Enable Two-factor authentication page, scan the QR code with your TOTP mobile app to configure your app.
If you can’t use the QR code, click enter this text code to view a secret key that you can manually enter into your app. Remember to select time-based in your app when using the manual key entry.
After your TOTP app is configured, it will generate a new authentication code every 30 seconds. In Domino, enter one of these codes and click Submit.
From now on, when you log in to Domino, open your app and enter the authentication code with your password.
For additional security, after six consecutive failed authentication attempts your account must be unlocked by an administrator.
What if I lose access to my device or TOTP app?
After enabling two-factor authentication, you’ll receive 10 9-digit recovery codes. Your recovery codes will allow you to get back into your account if you lose access to your phone or delete your authentication app.
Save these recovery codes in a safe place. You can find them again, or reset them, by going to Account > Two-Factor Authentication > View Recovery Codes.
You can use any of these codes to log in to your account, but you can only use each code once.
What if I lose my recovery codes?
If you don’t have access to your recovery codes, an Admin can manually disable 2FA for your account.
Why can’t I get my authentication code through SMS?
The National Institute of Standard and Technology (NIST) discourages the use of SMS or voice based 2FA. For details, see section 18.104.22.168 of their report here.
Is there a way to require that all users enable two-factor authentication?
Yes, as a Domino system administrator, add a
com.cerebro.domino.twoFactorAuthentication.isRequired key to the Domino
central configuration with a value of
For more information about Domino’s security, see Security at Domino.