General

ftrack Studio 4.3 introduces 2FA (two-factor authentication) to the ftrack Studio login process, should you wish to activate it for enhanced security.

When enabled, 2FA requires a second factor to authenticate the user beyond their account password.

Logging in with 2FA

When logging in with 2FA, users first encounter the standard ftrack login screen, where they must enter their username and password. ftrack verifies these credentials against the ftrack database or LDAP source. If the credentials are valid, a new screen displays, asking for an OTP (one-time password).

An authentication app – such as Authy, Duo Mobile, or Google Authenticator – generates this OTP. The user must enter the generated OTP into the ftrack Studio 2FA login screen.

Once ftrack accepts the valid OTP, the ftrack Studio login is complete, and ftrack grants user access to the service.

NOTE: 2FA is available only to users of ftrack and LDAP type. Users logging in via Google or SSO can already use 2FA via their identity provider.

How to enforce 2FA on all accounts

You can enable ftrack Studio's 2FA feature per account, or enable it for all users, which enforces all accounts to log in using 2FA.
To enforce 2FA for all accounts, go into “System settings”/”Security”/”Settings”. Toggle on "Enforce two-factor authentication":

When "Enforce two-factor authentication" is toggled on for a user, each user will be asked to enable 2FA immediately following their subsequent login with username/password, or when they reload their ftrack Studio webpage.

To enable 2FA, the user must download and install an app such as Authy, Duo Mobile, or Google Authenticator. They must then use the authentication app of choice to scan the QR code displayed using their device. The user will then receive a verification code to enter into the ftrack Studio dialogue box:

When 2FA is enabled, the user will receive a confirmation message:

How to enable 2FA on specific accounts

If the "Enforce two-factor authentication" setting is not set, 2FA will be optional for each ftrack Studio account. 

To enable 2FA per account, the user must go to "My account" and click "Enable 2FA":

Following this, ftrack Studio requests the user to follow the same procedure as detailed above: download and install a preferred app, scan the QR code, and verify using the received code:

When 2FA is enabled, the user will receive a confirmation message:

During the user's subsequent login, after they have entered their initial username and password, they will see this screen, which requests a verification code from the authentication app of choice:

2FA Backup codes

If your device containing the authentication app is lost or unavailable then you can utilize backup codes instead. Please note that this is a preemptive measure – backup codes must be accessed, downloaded, and stored at a time when the device is still available. We recommend that you store your codes somewhere safe for later use. As with your authentication codes, the backup codes are only of use to others if they also steal your password.

To generate a backup code, go to "My account" and press "Generate backup codes":

Enter a code from the authentication app, to proceed:

The backup codes are then generated and can be copied or printed for safe storage and use if your device/authentication app is unavailable. 

Backup codes come in sets of 10. You can generate a new set at any point, which will make the old set inactive.

How to disable 2FA

You can disable 2FA on your own account via "My account". If you wish to disable 2FA for other users, you must be an administrator. This is achieved via "System Settings/Users and groups".

FAQ

The only administrator at my facility has lost their 2FA device and their backup codes.
Please contact ftrack support. We can get you logged in safely and securely.

I have lost my phone and cannot login with 2FA.
You can access and use backup codes if you have them stored. Alternatively, ask an administrator to disable 2FA on your account from System Settings.

I have lost the backup codes I have stored.
Head to your account page. You can generate 10 new backup codes for safe storage. These codes will automatically replace the previously generated backup codes.

I have a new phone, how can I move my 2FA to the new phone?
Login to ftrack Studio and head to "My account". From there you can disable 2FA for your account using your old phone. You can then enable it again using your new phone.

Did this answer your question?