WebAccess has added support for the 2FA service.
This feature has two sides: user-enrollment activation and website cosign configuration. Any website’s content requiring 2FA protection (per auditors, policies, etc.) must configure their website to require 2FA (see below).
Note that this is a once-per-login-session request, similar to the account password.
If someone using an Access Account attempts to access a website requiring 2FA, and is not enrolled in 2FA, WebAccess will display a page explaining the situation. (An FPS Account receives a slightly different message.)
Cosign websites requiring the older second factor (Vasco/RSA mainframe tokens) will continue to function the same for those people who are not enrolled in 2FA. If the person is enrolled, entering their 2FA credential will also satisfy the token requirement: they will not have to use their mainframe token.
To enable your website’s Cosign filter to require 2FA, you must add a “factor” feature to your Cosign configuration. No other changes or addtional software are needed. (The Cosign software calls authentication methods, including the initial password login, “factors”.)
If your website currently uses the Access Account factor, just change it from
2fa. The 2fa factor covers all Access Accounts, making dce.psu.edu redundant.
Please create backup copies of your Cosign configuration beforehand.
Don’t forget to inform your user community about the new requirement prior to your change.
Here’s how to enable the feature on the various platforms:
In the Apache httpd.conf configuration file (or included file) where you have your CosignService directive, add this line right after it
then restart httpd.
IIS 7+ (CosignModule)
Your current <service> element is most likely a single tag similar to
<service name="cosign-www.dept.psu.edu" />
To add the token factor, you’ll need to split it into a start and end tag surrounding a new <add> element, like
<service name="cosign-www.dept.psu.edu"> <add factor="2fa" /> </service>
then restart IIS.
Your cosignConfig.xml file will have a section for your web site similar to
<service name = "cosign-www.dept.psu.edu"> <protected>/cosign-secure/protected/</protected> </service>
Modify it similar to this
<service name = "cosign-www.dept.psu.edu"> <reqfactor> <factor>2fa</factor> </reqfactor> <protected>/cosign-secure/protected/</protected> </service>
then restart your Java service.