For organizations that want additional security upon login, Nexpose and the Rapid7 Nexpose-Client Ruby Gem will support Two Factor Authentication as of the January 6, 2016 release. Two Factor Authentication requires the use of a time-based one-time password application such as Google Authenticator.

Two Factor Authentication can only be enabled by a Global Administrator on the Security Console.

To enable Two Factor Authentication:

1. As a Global Administrator, go to the Administration tab.

2. Click the Administer link in the Global and Console Settings section.

3. Select Enable two factor authentication.

The next step is to generate a token for each user. The users can generate their own tokens, or you can generate tokens for them that they then change. In either case, you should communicate with them about the upcoming changes.

Method 1: Tokens created by users

Once Two Factor Authentication is enabled, when a user logs on to Nexpose, they will see a field where they can enter an access code. For the first time, they should log in without specifying an access code.

Once the user logs in, they can generate a token in the User Preferences page.

The user should then open their time-based one-time password application such as Google Authenticator. They should enter the token as the key in the password application. The password application will then generate a new code that should be used as the user's access code when logging in.

A Global Administrator can check whether users have completed the Two Factor Authentication on the Manage Users page. The Manage Users page can be reached by going to the Administration tab and clicking the Manage link in the Users section. A new field – Two Factor Authentication Enabled – will appear in the table and let the administrator know which users have enabled this feature.

If the user doesn't create a token, they will still be able to log in without an access code. In this case, you may need to take steps to enforce enablement.

Method 2: Generating tokens for users

You can enforce that all users log in with a token by disabling the accounts of any users who have not completed the process, or by creating tokens for them and emailing them their tokens.

To disable users:

1. Go to the manage users page by going to the Administration tab and clicking the manage link in the Users section.

2. Select the checkbox next to each user for whom the Two Factor Authentication Enabled column shows No.

3. Select Disable users.

To generate a token for a user:

1. Go to the manage users page by going to the Administration tab and clicking the manage link in the Users section.

2. Select Edit for that user.

3. Generate a token for that user.

4. Provide the user with the token.

5. Once the user logs in with their access code, they can change their token if they would like in the User preferences page.