Passwords integration with Gapp (2FA authentication)
Passwords
Passwords is a secrets manager for GLPI. It offers the availability of credentials between users and focuses heavily on refined permissions based on entities, groups, types, and access levels.
Passwords can be linked to several GLPI items, generate a history of accesses and uses, and provide a convenient method to access them to streamline the technician’s efficiency without sacrificing security.
Passwords additional security layer by using Gapp as a 2FA
By using the two-factor authentication feature of the Passwords plugin in the mobile app, an additional layer of security is added, requiring confirmation through Gapp to access any password in GLPI.
Configuration
To pair Gapp with your GLPI user and be able to validate access to Passwords you will have to follow a few steps:
Step 1
The first step is to have a profile with access to Passwords. In this case, we’ll use the Super-Admin profile.
Step 2
If we go to the Gapp settings (the gear icon next to the user information), we can see the option to pair Gapp with our GLPI account to validate access to Passwords.
Step 3
If we select the Passwords 2FA option, we’ll be prompted to create a security PIN, which we’ll need to remember for future access validation. Additionally, if the device supports it, we can use biometric authentication (such as a fingerprint reader) to validate access.
Step 4
After entering a PIN, we’ll move on to linking Gapp with our GLPI account. Gapp will display a dialog with instructions on how to generate the code, which we must scan with Gapp to complete the link successfully.
Step 5
To complete the pairing, follow the steps outlined in the dialog box: in GLPI, go to My Settings > Passwords > Generate QR to pair with Gapp. A QR code will appear on the screen, which you’ll need to scan using the screen in Gapp that appears after pressing the Continue button in the dialog box.
How to use
Once Gapp is paired with our GLPI account, we can start validating password access in GLPI using 2FA through Gapp.
When accessing a password in Passwords, you’ll see a series of buttons. If you click the copy or view button, Gapp will receive a notification requesting validation to access that password.
When you click on this notification, the app will ask for the PIN you set up in step 3 of the previous section.
If your device is already set up to use fingerprint recognition for unlocking, you can also authorize access at this step using that authentication method. The process is similar to the previous one, but without the need to remember the previously set PIN.
2FA Password States
In Gapp settings, the Passwords 2FA button can have three different states:
Not configured
A gray shield appears. In this state Gapp has not yet been paired with its user in GLPI.
Paired
A green shield appears. In this state Gapp is paired with its user in GLPI and will receive push notifications to validate access from GLPI.
Unpaired
A red shield appears. This state indicates that another device has already been paired to your user in GLPI but it is not the device you are using.
It is possible that no other device is paired, but the current device has logged out or reinstalled Gapp and the internal encryption keys do not match.
To pair the device again, simply repeat the pairing procedure.
In this state, Password access cannot be validated.