Navigation
This version of the documentation is archived and no longer supported. It will be removed on EOL_DATE. To learn how to upgrade your version of MongoDB Ops Manager, refer to the upgrade documentation.
You were redirected from a different version of the documentation. Click here to go back.
This version of the manual is no longer supported. It will be removed on EOL_DATE.
  • Security >
  • Manage Two-Factor Authentication for Ops Manager

Manage Two-Factor Authentication for Ops Manager

On this page

Overview

Administrators can enable two-factor authentication. When enabled, two-factor authentication requires a user to enter a verification code to log in and to perform certain protected operations. Operations that require two-factor authentication include:

  • restoring and deleting snapshots,
  • stopping and terminating Backup for a sharded cluster or replica set,
  • inviting and adding users,
  • generating new two-factor authentication backup codes, and
  • saving phone numbers for two-factor authentication.

Optionally, administrators can set up two-factor authentication with Twilio. This allows users to receive their authentication codes via SMS.

Users configure two-factor authentication on their accounts through their Ops Manager user profiles, where they select whether to receive their verification codes through voice calls, text messages (SMS), or the Google Authenticator application. If your organization does not use Twilio, then users can receive codes only through Google Authenticator.

Administrators can reset accounts for individual users as needed. Reseting a user’s account clears out the user’s existing settings for two-factor authentication. When the user next performs an action that requires verification, Ops Manager forces the user to re-enter settings for two-factor authentication.

Procedures

Enable Two-factor Authentication

1

Go to User Authentication in the Ops Manager Config panel.

  1. Click on Admin on the upper-right hand corner.
  2. From the Ops Manager Admin screen, click on General > Ops Manager Config > User Authentication.
2

Configure Multi-Factor Authentication (MFA).

  1. Select Multi-Factor Auth Level.

    Level Description
    OPTIONAL Users can choose to set up two-factor authentication for their Ops Manager account.
    REQUIRED All users must set up two-factor authentication.
    REQUIRED_FOR_GLOBAL_ROLES Users who possess a global role must set up two-factor authentication, while two-factor authentication is optional for all other users.
  2. Optional. Select whether users can reset their two-factor authentication setting via email.

  3. Optional. Specify the Authenticator app issuer. If blank, the issuer is the domain name of the Ops Manager installation.

Optional. Enable Twilio Integration

To allow users to receive their authentication codes via SMS, administrators can optionally enable integration with Twilio.

1

Go to Miscellaneous in the Ops Manager Config panel.

  1. Click on Admin on the upper-right hand corner.
  2. From the Ops Manager Admin screen, click on General > Ops Manager Config > Miscellaneous.
2

Configure Twilio Integration.

Enter the following to allow delivery of alerts and SMS multi-factor authentication codes through Twilio:

Note

If you Twilio integration, ensure that Ops Manager servers can access the twilio.com domain.

Field Description
Account SID Twilio account ID.
Twilio Auth Token Twilio API access token
Twilio From Number Twilio phone number from which to send the alerts and authentication codes to users.

Reset a User’s Two-factor Authentication Account

Resetting the user’s account clears out any existing two-factor authentication information. The user will be forced to set it up again at the next login.

You must have the global user admin or global owner role to perform this procedure.

1

Open Ops Manager Administration.

To open Administration, click the Admin link in the Ops Manager banner.

2

Select the Users page.

3

Locate the user and click the pencil icon on the user’s line.

4

Select the Clear Two Factor Auth checkbox.