Managing Two-Factor Authentication Users

Managing Two-Factor Authentication Users for CygNet Bridge API

There will be circumstances where an administrative deactivation of two-factor authentication is required. A user's mobile device containing the authenticator app they use to access CygNet Bridge API might be lost or stolen, for example, so they will be unable to log in until two-factor authentication is deactivated for their account. User accounts can be reset by an administrator to allow a user to activate two-factor authentication for their account using a new device or 2FA app.

See CygNet Bridge API (BRDGAPI) Security (ACCESS event) for information about configuring security access for Bridge API administrative functions.

See Group Service (GRP) Security (ACCESS event) in the Security section of the CygNet Help for information about configuring security access for Bridge API administrative functions.

Reset Two-Factor Authentication User Accounts

Note: An administrator must have security authorization level 4 for the [GRP]* ACCESS event for the Group service used to store user authentication data in order to make user data changes. [GRP]* = ACS security application name of the Group service dedicated to storing user authentication information. See Preparing your System for CygNet Bridge API for more information about configuring permissions.

An administrator with the required permissions can deactivate two-factor authentication for a user account, in one of the following ways.

Use CygNet Bridge API as described below to call the ClientLoginApi reset deactivate two-factor authentication for a user account. This method allows you to manage user 2FA settings from outside your CygNet installation, via CygNet Bridge. The administrator must also have security authorization level 5 for the BRDGAPIACCESS event to make user data changes using CygNet Bridge API.

Use CygNet Studio as described below to use the CygNet Bridge API Two-Factor Authentication User Manager screen provided in your Weatherford CygNetBridge source files to generate a screen that guides you through resetting the user authentication data. This method allows you to manage user 2FA settings within your CygNet installation, via CygNet Studio.
Use CygNet Explorer as described below to navigate to the dedicated Group service created to store user authentication data, and directly remove the user authentication data desired. This method allows you to manage user 2FA settings within your CygNet installation, via CygNet Explorer.

Use CygNet Bridge API

CygNet Bridge API provides an API method, clientloginapi/api/login/tfa-reset?username={username}, that allows you to deactivate two-factor authentication for a user account via CygNet Bridge.

Use the following procedure to deactivate two-factor authentication for a user account using CygNet Bridge API.

To Reset Two-Factor Authentication for a User Account via CygNet Bridge API

Note: The administrator must also have security authorization level 5 for the BRDGAPIACCESS event to make user data changes using CygNet Bridge API.

Using your API client, call the ClientLoginApi reset method as follows to deactivate two-factor authentication for a user account.
- Create a PUT clientloginapi/api/login/tfa-reset?username={username} request.
- Specify the user to reset, as the username query parameter value.
- Provide your user credentials (username, password, and domain/workstation etc.) as applicable.
- Send the request to reset the user authentication data.

Use CygNet Studio

CygNet provides a sample CygNet Studio screen you can use to manage two-factor authentication user accounts. When licensed for CygNet Bridge API, the sample user manager screen is located in your CygNet Bridge product source files.

The sample user manager screen contains the following fields.

Element	Description
User data service	Use the drop-down menu to select the Site.Service for the group service that was created specifically for storing user authentication information for your site. See Preparing your System for CygNet Bridge API for more information about the process.
Refresh [service]	Click Refresh to update the list of available services.
Two-factor authentication users	Lists the users of CygNet Bridge API who have set up two-factor authentication Select a user to view their setting details in the user settings box below.
Refresh [users]	Click Refresh to update the list of two-factor authentication users.
Reset user	Click Reset user to remove the selected user's authentication settings from the user data Group service. This allows the user to set up new 2FA account settings if desired.
User settings	Displays two-factor authentication setting details for the selected user, including user identity, status, and (encrypted) Pre-Shared Key (PSK) number

Use the following procedure to reset a two-factor authentication user account using CygNet Studio.

To Reset Two-Factor Authentication for a User Account via CygNet Studio

In the CygNet Bridge\BridgeAPISampleScreen folder in your CygNet Bridge source files, locate the sample CygNet Bridge API Two-Factor Authentication User Manager.csf file and make a copy of it.
Upload the copied .csf file into your Blob Storage Service (BSS).
In CygNet Studio, open the screen from your Blob service. Optionally make edits if desired, and Save any changes.
Using your CygNet Bridge API Two-Factor Authentication User Manager screen, provide information as follows to reset the desired user authentication data.

From the User data service drop-down menu, select the Site.Service for the group service created to store the user authentication information for your site, to view the list of two-factor authentication users.
In the Two-factor authentication users list box, select the username you want to reset.
Click Refresh to ensure you are viewing current information.
In the User settings results box, verify that the user information shown contains the authentication details you want to reset.
Click Reset to remove the existing two-factor authentication settings for the selected user.
Click Refresh to view the revised data and verify that the user data was reset.

Use CygNet Explorer

Administrators with required permission levels can also directly access the CygNet Group service that was created to contain the two-factor authentication user data, and edit the data directly.

Use the following procedure to reset a two-factor authentication user account using CygNet Explorer.

To Reset Two-Factor Authentication for a User Account via CygNet Explorer

In CygNet Explorer, navigate to the Group service that was created to contain your two-factor authentication user data (example: USERDATA.GRP) and double-click to open it.
Navigate to the node representing the user data you want to reset, right-click to access the context menu, and click Delete to remove the desired settings.