First thing that you need to do after Sugar 2FA is installed and licensed is to select which users will have 2FA enabled. Please log in as sugar administrator and follow the link ‘Sugar 2FA User Configuration’ (that can be found at the bottom of admin page). You should see the list of all active users from your system:
Column ‘2FA Enabled’ houses a checkbox for every user. Checking said boxes (and clicking on ‘Save’ button in upper right corner) enables 2FA for particular user. Said action will enforce each user to complete 2FA configuration wizard on the first next login after enabling. You will find more information on this topic in the following text.
Just as checking the box enables 2FA, un-checking it (and clicking ‘Save’) disables it. Users that have 2FA disabled will continue to log in in the usual manner, using only their username and password.
Please note that there is ‘Enable to all’ checkbox in ‘2FA Enabled’ column header. Clicking the said checkbox turns 2FA on or off for all the users. You need to click on ‘Save’ button for the changes to take effect.
It’s advisable not to turn 2FA for all the admins and users at the same time. In order to make sure that Sugar 2FA works properly on your instance, test the module by first enabling 2FA for certain regular users. If problems occur, please turn 2FA off for said users and contact 38 Elements.
Sending users’ login codes and resetting 2FA configuration will be explained later on (in chapter ‘Resetting 2FA Configuration’). For now just enable 2FA for users that need to have this service enabled and click on ‘Save’. Admin can enable and disable 2FA for any user, including himself and other admins.
2FA Configuration Wizard
As we already mentioned, all the users that have 2FA enabled will see configuration wizard the first time they try to log in after 2FA is enabled for them. The first thing users will see is the regular login screen, with inputs for entering username and password:
Users should enter their password, as usual, and click on ‘Log In’ button. After a couple of seconds they’ll be able to see step 1 of 2FA configuration wizard:
Step 1 simply notifies the user that 2FA is now enabled and needs to be configured. User should click on ‘Next‘ button. Step 2 requires the user to perform a couple of actions:
- Download an authenticator application of their choice on their mobile phone. We recommend free ‘Google Authenticator’ app, which is available for both Android and iOS. Other good options are ‘Microsoft Authenticator’, ‘LastPass Authenticator’ or ‘Authy’.
- Open installed authenticator app.
- Tap on ‘plus’ icon that most of the apps show in lower right corner of the screen. Some of them have ‘Add account’ option in options menu (that’s accessed from icon in upper right corner of the screen).
- After tapping on ‘Add account’ option or icon, the app will provide the users with 2 options: to scan the QR code (some apps refer to QR code as ‘barcode’) or enter the code manually. As you can see from the image above, user can scan the shown QR code or enter 32 character code (that resides below the QR code) in their app manually. Scanning the code is much more convenient, and the end result is the same as QR code is just graphical representation of 32 character code (that’s called ‘secret code’ and is unique for every user that configures 2FA).
Please note that if users select entering the code manually, they will also need to enter the account’s name of their choice (something that references your SugarCRM) and to choose ‘Time based’ as type of key (if asked, as some of the apps use this key type by default).
After this users should be able to see new account added on their authenticator app.
As you can see from the image above, new account has been added to authenticator app (Google Authenticator is used here, and QR code was scanned when account was being added). No matter which application is used, they all display user’s username (‘jim’ in this case) along with the name of SugarCRM application that 2FA is being configured on (‘38 Elements CRM’ in this case). Please note that this happens only when QR code is scanned during configuration process. If the code is enter manually, user will be asked to set the account’s name of their choice.
Authentication app will start generating 6 digit codes that last 30 seconds right away (and we will get back to this later on). As you can see from the image above, ‘295751’ is one such code.
User should now enter the 6 digit code that authenticator app has generated and click on ‘Next‘ button. As already mentioned, codes are valid for 30 seconds, which means that they will be visible for 30 seconds and after that a new code will take the old code’s place. If any code is declined because it expired, new one that appears should be entered.
Please note that 6 digit code is shown in 2 groups of 3 digits just for better visibility. The code should be entered as 6 consecutive digits, without any spacing.
Step 3 is confirmation that everything was set up properly:
User should click on ’Login’ button, which will log in the user in SugarCRM application. Configuration wizard is completed at this point. Every next time, as long as user has 2FA enabled, user will be asked to enter 6 digit code, as explained in the next chapter.
Every user that has 2FA enabled and configured will follow this 2-step procedure in order to log in:
- Enter username and password (on Sugar’s default log in screen):
- After a couple of seconds 2FA login screen will appear:
User is expected to open up the authenticator application mobile app and enter 6 digit code that appears under account configured for your SugarCRM. After entering the code and clicking on ‘Login’ (or pressing the ‘enter’ key), user should be logged in.
Sending 2FA Login Code to User
If any user doesn’t have the mobile phone (where authentication app is configured) available and is unable to log in into SugarCRM, admin can send 2FA code to particular user via email.
It is being done by navigating to ‘Sugar 2FA User Configuration’ link, that should be at the bottom of admin page (under ‘Sugar 2FA Configuration’ section). Said link opens up the same view used for enabling and disabling 2FA for users:
Clicking on ‘Send’ button from particular user’s row will automatically send an email from sugar system outbound email to said user. Email will contain 6-digit code that lasts for 5 minutes:
your temporary 2FA code is: 831184
Code expires in 5 minutes.
Please note that you cannot send the code to users that didn’t configured 2FA nor the ones that don’t have 2FA enabled.
Resetting 2FA Configuration
Any user (including admin) can have their 2FA configuration reset.
As you can see from the image above, admin can do that by going to ‘Sugar 2FA User Configuration’ link, that should be at the bottom of admin page (under ‘Sugar 2FA Configuration’ section).
Column ‘Reset 2FA Secret Code’ holds ‘Reset’ buttons. Clicking on said button resets 2FA configuration for particular user. This action will reset user’s secret code and force the user to configure 2FA again on the next login into the SugarCRM.
This action can be used if user loses or forgets the mobile phone with authentication app installed and configured.