This page describes how to enable two-factor authentication for native Domino-managed accounts in version of Domino prior to 3.6. If you’re running Domino 3.6+ with the new Keycloak authentication service, see Keycloak Authentication Service to learn about authentication options in Keycloak.
What is two-factor authentication?
Two-factor authentication (2FA) is an optional but highly-recommended extra layer of security that requires you to have access to your phone or mobile device when logging in to Domino. This means even if your password is compromised, only you have access to your account.
It works as follows:
When you sign in, you’ll be asked to enter a six-digit authentication code in addition to your password.
You’ll receive the authentication code from a secure app on your mobile device.
Enter that code in Domino to log in.
How do I set up two-factor authentication for my account?
Before you can set up 2FA on your account, you’ll need to download and install a Time-based One-Time Password (TOTP) app on your mobile device to generate time-sensitive authentication codes. Domino 2FA can be used with most TOTP applications.We recommend using Google Authenticator for both iOS (App Store) and Android (Google Play).
After you’ve installed a TOTP app, you’re ready to enable two-factor authentication on Domino.
|If an Administrator has required the use of 2FA for your account, you’ll immediately be directed to Step 4 upon log in.
In any page, click your username, then click Account Settings
In the sidebar, click Two-Factor AuthenticationNote
If this option isn’t available, contact your Administrator to enable this feature.
Under Two-Factor Authentication, click Set up an authenticator app.
On the Enable Two-factor authentication page, scan the QR code with your TOTP mobile app to configure your app.
If you can’t use the QR code, click enter this text code to view a secret key that you can manually enter into your app. Remember to select time-based in your app when using the manual key entry.
After your TOTP app is configured, it will generate a new authentication code every 30 seconds. In Domino, enter one of these codes and click Submit.
From now on, when you log in to Domino, open your app and enter the authentication code with your password.
For additional security, after six consecutive failed authentication attempts your account must be unlocked by an administrator.
What if I lose access to my device or TOTP app?
After enabling two-factor authentication, you’ll receive 10 9-digit recovery codes. Your recovery codes will allow you to get back into your account if you lose access to your phone or delete your authentication app.
Save these recovery codes in a safe place. You can find them again, or reset them, by going to Account > Two-Factor Authentication > View Recovery Codes.
You can use any of these codes to log in to your account, but you can only use each code once.
What if I lose my recovery codes?
If you don’t have access to your recovery codes, an Admin can manually disable 2FA for your account.
Why can’t I get my authentication code through SMS?
The National Institute of Standard and Technology (NIST) discourages the use of SMS or voice based 2FA. See section 18.104.22.168 of NIST Special Publication 800-63B: Digital Identity Guidelines for details.
Is there a way to require that all users enable two-factor authentication?
Yes, as a Domino system administrator, add a
com.cerebro.domino.twoFactorAuthentication.isRequired key to the Domino central configuration with a value of
For more information about Domino’s security, see Security and Domino.