Setup multi-factor authentication

2025/3/20 |

Lucent Sky AVM supports the use of TOTP MFA (time-based one time password multi-factor authentication) for local accounts, providing a convenient way of enhancing account security.

In this article, you will learn how to:

  • Enable, reset, or disable MFA for the current user.
  • Enable or disable MFA for a specific user.
  • Enable or disable system-wide MFA settings.

At the end, you will be able to configure multi-factor authentication for your own account and other accounts, and manage multi-factor authentication on the system.

Enable, reset, or disable MFA for the current user

Follow these steps to enable multi-factor authentication for the current user:

  1. On the Web UI, navigate to Settings > Account, then select Enable MFA. You will be automatically signed out. If you don't see the Enable MFA command, multi-factor authentication is disabled on the system and cannot be enabled.
  2. Sign in normally, and the Web UI will display a QR code for setting up MFA. Use a compatible authenticator app, such as Apple Passwords (iOS) or Microsoft Authenticator (Android, iOS), to scan the QR code and set up MFA.
  3. If you are unable to scan the QR code, select Enter code manually and enter the Secret key in your authenticator app.
  4. Confirm you have set up MFA correctly by entering the token generated by your authenticator app.

Follow these steps to reset multi-factor authentication for the current user:

  1. On the Web UI, navigate to Settings > Account, then select Reset MFA. You will be automatically signed out.
  2. Sign in normally, and the Web UI will display a QR code for setting up MFA. Use a compatible authenticator app, such as Apple Passwords (iOS) or Microsoft Authenticator (Android, iOS), to scan the QR code and set up MFA.
  3. If you are unable to scan the QR code, select Enter code manually and enter the Secret key in your authenticator app.
  4. Confirm you have set up MFA correctly by entering the token generated by your authenticator app.

Follow these steps to disable multi-factor authentication for the current user:

  1. On the Web UI, navigate to Settings > Account, then select Disable MFA. MFA will be disabled on your account and you will be automatically signed out. If you don't see the Disable MFA command, multi-factor authentication is enforced on the system and cannot be disabled.

Enable, reset, or disable MFA for a specific user

Users with Full Access permission to the User API interface can enable, reset, or disable multi-factor authentication for other users.

Follow these steps to enable multi-factor authentication for a specific user:

  1. On the Web UI, navigate to Settings > Users, then select the Edit icon of the user to eanble multi-factor authentication for.
  2. Select the Multi-factor Authenticaiton checkbox, then select Save.
  3. Multi-factor authentication for the user has been enabled, and they will be required to setup multi-factor authentication the next time they sign in using the Web UI.

Follow these steps to reset multi-factor authentication for a specific user:

  1. On the Web UI, navigate to Settings > Users, then select the Edit icon of the user to reset multi-factor authentication for.
  2. Unselect the Multi-factor Authenticaiton checkbox, then select Save.
  3. select the Edit icon of the user again.
  4. Select the Multi-factor Authenticaiton checkbox, then select Save.
  5. Multi-factor authenticaiton for the user has been reset, and they will be required to setup multi-factor authentication again the next time they sign in using the Web UI.

Follow these steps to disable multi-factor authentication for a specific user:

  1. On the Web UI, navigate to Settings > Users, then select the Edit icon of the user to reset multi-factor authentication for.
  2. Unselect the Multi-factor Authenticaiton checkbox, then select Save.
  3. Multi-factor authentication for the user has been disabled.

Enable or disable system-wide MFA settings

In its default configuration, multi-factor authentication are enabled but not enforced. In this configuration, users can enable MFA on their own but are not required to do so.

Follow these steps to change the default configuration:

  1. Open PowerShell as administrator and enter the following command to open the CLEAR Engine storage configuration file with the default text editor:

     (Select-Xml -Path "C:\Program Files\Lucent Sky\CLEAR Engine\SkyAnalyzer.config" -XPath "skyAnalyzer").Node.File | Invoke-Item
  2. Locate the MultiFactorAuthentication key. The default value is empty, which enable multi-factor authentication.
  3. To enforce MFA for all users, set its value to true. Every user will be required to set up multi-factor authentication the next time they sign in.
  4. To disable MFA for all users, set its value to false. Multi-factor authentication will be disabled for all users.

  5. Enter the following command in PowerShell to restart CLEAR Engine for the changes to take effect. Repeat this on every instance in the cluster:

     Stop-Service "CLEAR Engine"; Start-Service "CLEAR Engine"

Disabling system-wide MFA does not clear the per-user MFA secret key. If system-wide MFA is enabled again, users can use their existing authenticator apps to sign in.