TimeZest now supports two-factor authentication (2FA) using common applications such as Authy, Google Authenticator and Microsoft Authenticator. Two-Factor Authentication works by ensuring that you have two factors to identify yourself when signing into TimeZest - your password (as is used currently), and your phone (when 2FA is enabled). This significantly increases the security of your account, as it prevents someone logging in if your password is compromised or stolen.
As part of our commitment to security, 2FA is available to all users of TimeZest, including subscribers on free plans.
Important: Under no circumstances will TimeZest support turn off 2FA for an account where it has been configured, as this is a vector of social engineering attacks which can be used to bypass 2FA, and thus render it useless. Administrators can disable 2FA for other users if required (e.g. after losing a device).
Setting up 2FA for individual users
Each TimeZest administrator can setup 2FA for themselves in their My Profile page.
To turn on 2FA for your own account, click the Enable Two-Factor Authentication button. You'll then be asked to add TimeZest to your authenticator app using a QR code:
After entering the code, click Enable Two-Factor Authentication. You will then be shown backup codes which you can use to bypass 2FA if you lose your authentication device. It is critical that you store these in a secure place.
Click Finish Two-Factor Authentication Setup, and you will be prompted to use your authenticator app next time you log in.
Enforcing 2FA for all users
TimeZest can also be configured to require all users to set up 2FA. This can be configured in the Security & Permissions page:
Click Require 2FA for all Administrators to require all administrators to configure 2FA. They will be prompted at their next login to configure 2FA, but there is a grace period of 7 days during which it can be skipped. After the grace period expires, administrators will be required to configure 2FA before being allowed to login to TimeZest.
Disabling 2FA for Individual Administrators
In the case where an administrator loses their 2FA device, it's possible for another administrator to disable 2FA for that administrator for their next login attempt only. This can be done by going to that administrators details page (in Administrators) and clicking Disable Two-Factor Administration for Next Login.