Skip to Content
Niagara 4How to set two-factor authentication in a Niagara Station (Gauth)

How to set two-factor authentication in a Niagara Station (Gauth)

Two-factor authentication (2FA) adds an additional layer of security to Niagara Station access by requiring both a password and a time-based one-time password (TOTP) from an authenticator app. This guide covers configuring Google Authenticator (Gauth) for Niagara 4 Stations.

Overview

Two-factor authentication enhances security by requiring:

  1. Something you know: Your Station password
  2. Something you have: A time-based code from Google Authenticator

This prevents unauthorised access even if passwords are compromised.

Prerequisites

Before configuring 2FA, ensure you have:

  • Administrative access to the Niagara Station
  • A mobile device (smartphone or tablet)
  • Google Authenticator app installed on your mobile device
  • Access to Station user management

Understanding Two-Factor Authentication in Niagara

How It Works

  1. User Registration: Users register their authenticator app with the Station
  2. QR Code Generation: Station generates a QR code containing secret key
  3. App Configuration: User scans QR code with Google Authenticator
  4. Login Process: User enters password and TOTP code when logging in
  5. Verification: Station verifies both password and TOTP code

Supported Authenticator Apps

  • Google Authenticator (recommended)
  • Microsoft Authenticator
  • Authy
  • Any TOTP-compatible authenticator app

Step-by-Step Configuration

Step 1: Enable Two-Factor Authentication Service

  1. Open Niagara Workbench
  2. Connect to your target Station
  3. Navigate to Services in the Station tree
  4. Locate or create the Two-Factor Authentication Service

If the service doesn't exist:

  1. Right-click on Services
  2. Select NewServiceTwo-Factor Authentication Service
  3. Enter a name (e.g., "2FA Service")
  4. Click OK

Step 2: Configure 2FA Service Properties

  1. Right-click on the Two-Factor Authentication Service

  2. Select Properties

  3. Configure service settings:

    • Enabled: Enable the service
    • Issuer Name: Name displayed in authenticator app (e.g., "Niagara Station")
    • Secret Key Length: 32 characters (default, recommended)
    • Time Step: 30 seconds (default, standard TOTP)
    • Code Length: 6 digits (default)
    • Backup Codes: Enable backup code generation (recommended)

Step 3: Enable 2FA for User Accounts

  1. Navigate to Users in the Station tree
  2. Select the user account requiring 2FA
  3. Right-click and select Properties
  4. Navigate to Security or Authentication tab
  5. Enable Two-Factor Authentication
  6. Click OK to save

Step 4: Register Authenticator App for User

For each user requiring 2FA:

  1. User Login: User logs into Workbench or Web Supervisor
  2. 2FA Prompt: System prompts user to configure 2FA
  3. QR Code Display: Station displays QR code
  4. Scan QR Code: User opens Google Authenticator app
  5. Add Account: Tap + or Add Account
  6. Scan QR Code: Select Scan QR Code and scan the displayed code
  7. Verify Setup: Enter the 6-digit code displayed in the app
  8. Save Backup Codes: User saves backup codes in a secure location

Step 5: Test Two-Factor Authentication

  1. Logout: User logs out of the Station
  2. Login Attempt: User attempts to log in
  3. Password Entry: User enters username and password
  4. TOTP Prompt: System prompts for TOTP code
  5. Code Entry: User enters 6-digit code from Google Authenticator
  6. Verification: System verifies code and grants access
  1. During 2FA setup, generate backup codes
  2. Provide backup codes to user securely
  3. User stores backup codes in a safe location
  4. Backup codes can be used if authenticator app is unavailable

User Registration Process

For Station Administrators

When enabling 2FA for users:

  1. Notify Users: Inform users that 2FA is being enabled
  2. Provide Instructions: Share setup instructions with users
  3. Support: Be available to assist with setup if needed
  4. Backup Codes: Ensure users receive and store backup codes

For End Users

When setting up 2FA:

  1. Install App: Install Google Authenticator on mobile device
  2. Access Station: Log into Station (one-time password-only access)
  3. Follow Prompts: Complete 2FA setup when prompted
  4. Test Login: Verify 2FA works by logging out and back in
  5. Store Backup Codes: Save backup codes securely

Configuration Options

Service-Level Settings

Configure global 2FA settings:

  • Enforcement: Require 2FA for all users or allow opt-in
  • Grace Period: Allow time for users to set up 2FA
  • Backup Code Policy: Configure backup code generation and usage
  • Session Duration: Set how long 2FA remains valid per session

User-Level Settings

Per-user 2FA configuration:

  • 2FA Status: Enabled/Disabled per user
  • Registration Status: Track which users have registered
  • Last Used: Monitor last 2FA usage
  • Backup Codes: Manage user backup codes

Troubleshooting

QR Code Not Scanning

If QR code cannot be scanned:

  1. Display Quality: Ensure QR code is clearly displayed
  2. Screen Brightness: Increase screen brightness
  3. App Version: Update Google Authenticator to latest version
  4. Manual Entry: Use manual entry option with secret key
  5. Alternative Method: Try different device or app

Invalid TOTP Codes

If codes are being rejected:

  1. Time Synchronisation: Ensure device time is synchronised
  2. Code Timing: Enter code within the 30-second window
  3. Code Entry: Verify all 6 digits are entered correctly
  4. Service Configuration: Check Time Step setting matches standard (30 seconds)
  5. Clock Drift: Check for significant time differences between devices

Lost Authenticator Access

If user loses access to authenticator app:

  1. Backup Codes: Use backup codes to regain access
  2. Administrator Reset: Administrator can reset 2FA for user
  3. Re-registration: User must re-register authenticator app
  4. Prevention: Encourage users to store backup codes securely

Service Not Starting

If 2FA service fails to start:

  1. Check Logs: Review service logs for error messages
  2. Service Status: Verify service is enabled
  3. Dependencies: Check for required service dependencies
  4. Configuration: Review service configuration for errors
  5. Restart Service: Try restarting the service

Security Best Practices

Implementation

  • Gradual Rollout: Enable 2FA gradually, starting with administrators
  • User Training: Provide training and documentation to users
  • Support: Establish support process for 2FA issues
  • Monitoring: Monitor 2FA usage and issues

User Management

  • Backup Codes: Always generate and securely provide backup codes
  • Account Recovery: Establish account recovery process
  • User Education: Educate users on 2FA importance and usage
  • Regular Review: Periodically review 2FA registrations

Security Considerations

  • Secret Key Storage: Ensure secret keys are stored securely
  • Backup Code Security: Protect backup codes appropriately
  • Session Management: Configure appropriate session durations
  • Audit Logging: Enable audit logging for 2FA events

Advanced Configuration

Custom TOTP Parameters

For advanced configurations:

  • Time Step: Adjust time step (typically 30 seconds)
  • Code Length: Change code length (typically 6 digits)
  • Hash Algorithm: Configure hash algorithm (typically SHA1)
  • Clock Tolerance: Set clock drift tolerance

Integration Options

2FA can be integrated with:

  • LDAP: Combine with LDAP authentication
  • Single Sign-On: Integrate with SSO solutions
  • Custom Authentication: Extend with custom authentication modules

Additional Resources

  • Google Authenticator Documentation
  • Niagara 4 Security Guide
  • Two-Factor Authentication Best Practices
  • TOTP RFC 6238 Specification
How does the Tuning Policy work in any given Niagara DriverNiagara 4 Supervisors & Workplaces