Administrator Documentation

Create a list of authorized users and manage two-factor authentication (2FA)

This article outlines details around managing local authentication and two-factor authentication.

Administrators can configure Local Authentication Security at the org level for any role as detailed in Local Authentication Security permissions. This approach allows for easier control and access to local and two-factor authentication.

Local authentication or local login is the method of logging into Brightspace locally where your username and encrypted password are stored in Brightspace.

Two-factor authentication is a second layer of authentication when a user logs into Brightspace locally. The first layer is a password, and the second layer includes a code sent to your mobile device.

Enable or enforce two-factor authentication for specific roles

To configure two-factor authentication for specific roles that can log in locally, you must determine whether two-factor authentication is optional or enforced.

If optional, users can log into Brightspace, change their personal settings, and decide whether they wish to configure two-factor authentication from Account Settings or remove a previously set up two-factor authentication.

If enforced, users must change their personal settings in Brightspace and configure two-factor authentication from Account Settings to continue logging into Brightspace successfully. Users can skip having to set up two-factor authentication when logging in to Brightspace; the number of skips allowed is controlled by the configuration variable d2l.Auth.TwoFactor.SkipEnforcedTwoFactorPrompt (default of 5 times).

To set up two-factor authentication:

From the Admin Tools menu, select Roles and Permissions.
Select the role you want to configure two-factor authentication security permissions for.
In the Filter by Tool drop-down menu, select Local Authentication Security and click Apply Filter.

Figure: Select Local Authentication Security from the Filter by Tool drop-down and click Apply Filter.
From the permissions list, select one or both of the following options:
- Make Two Factor Authentication Available – to enable users to optionally configure two-factor authentication for their Brightspace login. This option is only available if the user role has the Change My Password permission enabled. For more information, refer to Account Settings permissions.
- Enforce Two Factor Authentication – to enforce two-factor authentication when users log into Brightspace.
  
  Figure: Select the check boxes to enable either optional or enforced two-factor authentication for the role.
Click Save and Close.

Enable or disable local login and two-factor authentication for specific users

You can customize individual user settings to allow for local login and two-factor authentication via the Users tool, overriding default org level permissions. Only users with the Can Override Users Local Authentication Security Setting permission can make these changes.

The Local Authentication section of the Users tool indicates if a user has set up two-factor authentication, how often they've skipped setting up two-factor authentication on Brightspace logins, and any Local Authentication overrides or role configurations.

To customize individual user settings to allow for local login and two-factor authentication:

From the Admin Tools menu, select Users.
In the Users tab, enter a user's name in Search For..., then click the Search icon.
Click the name of the user you want to edit.
In the User Info tab, navigate to Local Authentication and select the Override default role settings for this user check box.

Figure: Enable Override default role settings for this user in the Local Authentication section.
To enable a user to log in locally, for Local Brightspace Login Availability, select the Available check box.
Note: If you do not select the Available check box and click Save, the user is restricted from logging in locally.
For Two Factor Authentication Availability, select one of the following options:
- Not Available – Users will not be able to configure two factor authentication.
- Optional – Users can configure two factor authentication via Account Settings.
- Enforced – Users must configure two factor authentication to log in locally to Brightspace.
  
  Figure: Select the desired level of Two Factor Authentication Availability for this user.
Click Save.

Set up two-factor authentication for your account

If two-factor authentication has been enabled for your user account, you can optionally enable or disable two-factor authentication to your local account.

To set up two-factor authentication:

Click your username and select Account Settings.
Under General Settings, click Enable Two Factor Authentication.

Figure: Click Enable Two Factor Authentication to proceed.
Following the instructions on the Enable Two Factor Authentication dialog, install an authenticator app on your mobile device.
Add a new profile to your chosen authenticator by scanning the QR code on the Enable Two Factor Authentication pop-up window or by entering your personal code.
Follow the instructions in your authenticator app to save your Brightspace code for future reference.
When you have completed the setup process, log out of Brightspace and attempt to log back in. A prompt appears for your code.
Enter your code and click Submit. You are logged into Brightspace.

Disable local login

By default, users created in Brightspace can log in locally. If you do not want certain roles to log in locally, you can select the Disable Allowing Local Login permission for these roles. Disabling local login is intended for users with roles that should only log in using Single Sign On (SSO).

Warning: Prior to disabling local login for a role, ensure that those users have an alternate means of authenticating into Brightspace, such as SSO; otherwise, users with that role will be prevented from logging into Brightspace.

To disable local login for a role:

From the Admin Tools menu, select Roles and Permissions.
Select the role you want to disable local login permissions for.
In the Filter by Tool drop-down menu, select Local Authentication Security and click Apply Filter.

Figure: Select Local Authentication Security from the Filter by Tool drop-down and click Apply Filter.
From the permissions list, enable the Disable Allowing Local Login permission.

Figure: Click the check box to enable Disable Allowing Local Login for the role.
Click Save and Close.

Video: Configure Local Two-Factor Authentication

<br>