Docs Menu
Docs Home
/
MongoDB Ops Manager
/

Manage Two-Factor Authentication for Ops Manager

On this page

  • Overview
  • Procedures

Administrators can enable two-factor authentication. When enabled, two-factor authentication requires a user to enter a verification code to log in and to perform certain protected operations. Operations that require two-factor authentication include:

  • restoring and deleting snapshots,

  • stopping and terminating Backup for a sharded cluster or replica set,

  • inviting and adding users,

  • generating new two-factor authentication backup codes, and

  • saving phone numbers for two-factor authentication.

Optionally, administrators can set up two-factor authentication with Twilio. This allows users to receive their authentication codes via SMS.

Users configure two-factor authentication on their accounts through their Ops Manager user profiles, where they select whether to receive their verification codes through voice calls, text messages (SMS), or the Google Authenticator application. If your organization does not use Twilio, then users can receive codes only through Google Authenticator.

Administrators can reset accounts for individual users as needed. Reseting a user's account clears out the user's existing settings for two-factor authentication. When the user next performs an action that requires verification, Ops Manager forces the user to re-enter settings for two-factor authentication.

1
  1. Click on Admin on the upper-right hand corner.

  2. From the Ops Manager Admin screen, click on General > Ops Manager Config > User Authentication.

2
  1. Select Multi-Factor Auth Level.

    Level
    Description
    OPTIONAL
    Users can choose to set up two-factor authentication for their Ops Manager account.
    REQUIRED
    All users must set up two-factor authentication.
    REQUIRED_FOR_GLOBAL_ROLES
    Users who possess a global role must set up two-factor authentication, while two-factor authentication is optional for all other users.
  2. Optional. Select whether users can reset their two-factor authentication setting via email.

  3. Optional. Specify the Authenticator app issuer. If blank, the issuer is the domain name of the Ops Manager installation.

To allow users to receive their authentication codes via SMS, administrators can optionally enable integration with Twilio.

1
  1. Click on Admin on the upper-right hand corner.

  2. From the Ops Manager Admin screen, click on General > Ops Manager Config > Miscellaneous.

2

Enter the following to allow delivery of alerts and SMS multi-factor authentication codes through Twilio:

Note

If you Twilio integration, ensure that Ops Manager servers can access the twilio.com domain.

Field
Description
Account SID
Twilio account ID.
Twilio Auth Token
Twilio API access token
Twilio From Number
Twilio phone number from which to send the alerts and authentication codes to users.

Resetting the user's account clears out any existing two-factor authentication information. The user will be forced to set it up again at the next login.

You must have the global user admin or global owner role to perform this procedure.

1

To open Administration, click the Admin link in the Ops Manager banner.

2
3
4

Back

Rotate Password

On this page