1. Home
  2. IP-PBX & UCM6300 Ecosystem
  3. UCM6300 Series
  4. Security
  5. UCM6300/A Series Multi-factor Authentication Guide
  1. Home
  2. IP-PBX & UCM6300 Ecosystem
  3. UCM6300 Audio Series
  4. Security
  5. UCM6300/A Series Multi-factor Authentication Guide

UCM6300/A Series Multi-factor Authentication Guide

INTRODUCTION

The UCM Multi-Factor Authentication (MFA) feature adds a simple and secure method to protect the system on top of requiring username and password for login. If enabled, the UCM will require login credentials (the 1st factor) and a verification code from an MFA device (the 2nd factor), increasing security for the UCM system.

To use MFA, users will need to install a virtual MFA application or purchase a physical MFA device. MFA is configured and applied per account, not all accounts.

Virtual MFA Device

Virtual MFA devices refer to software applications that are run on mobile devices or others to substitute physical MFA devices. An MFA application will generate a six-digit code via a time-based one-time password (TOTP) algorithm. This code will be required when logging into the UCM. The virtual MFA device assigned to each user must be unique. A user cannot use a code from another user’s MFA device or application to log into his own account.

Since MFA applications may run on insecure hardware, they may not provide the same level of security as physical MFA devices.

Physical MFA Device

A physical MFA device will generate a six-digit code via a time-based one-time password (TOTP) algorithm. This code will be required when logging into the UCM. The physical MFA device assigned to each user must be unique. A user cannot use a code from another user’s MFA device or application to log into his own account.

MFA device Specifications

Table 2: MFA Device Specifications

Virtual MFA Device

Physical MFA Device

Device

See Table 3 below

Purchase required

Cost

Free

Price determined by 3rd party vendor

Device

Specifications

Any mobile device or tablet that

can install and run applications

supporting the TOTP standard

3rd party vendor device that supports TOTP

standard such as Microcosm MFA devices

Application Scenario

Multiple tokens can be

supported on one device

Many financial institute and enterprise IT organizations use the same device type

VIRTUAL MFA APPLICATIONS

Please go to your mobile device or tablet’s app store to download and install MFA applications. The below table lists some example applications.

Table 3: Virtual MFA Applications

Android

Mobilde Devices

Google Authenticator

Twilio Authy 2-factor Authentication

iOS

Mobile Devices

Google Authenticator

Twilio Authy 2-factor Authentication

Windows

Mobile Devices

Authenticator (by Microsoft)

Using MFA Device

It is highly recommended to configure Multi-Factor Authentication (MFA) to provide higher level security of the UCM system. Super admins and admins can toggle on MFA for their own accounts but not for others’ accounts.

Using Virtual MFA Device

First, download an MFA application from your app store (e.g., Apple App Store or Google Play Store). See Table 3 for examples of available MFA applications.

Note

To configure MFA properly, email addresses must be set for the UCM and the desired admin account. This is the only method to disable MFA without login into the account. If no email address is configured, the account will not be able to login.

Follow these steps to configure MFA on UCM:

  1. Log into the UCM management portal with the super admin account. Navigate to System Settings🡪Email Settings and configure valid email settings that will allow UCM to send out emails. Make sure that the Type field is set to Client.
Graphical user interface, application, email

Description automatically generated
Figure 1: Email Settings

2. On UCM web UI, navigate to Maintenance->User Management page, click to edit the user information. Configure email address for the admin.

Graphical user interface, application

Description automatically generated
Figure 2: User Information

3. Enable Multi-Factor Authentication and select Virtual MFA device certification in the prompt. Then click on next.

4. The Virtual MFA device certification window will provide step-by-step instructions on setting everything up. Users can either scan a QR code or manually enter a key via their MFA app.

Qr code

Description automatically generated
Figure 3: Scan MFA QR Code

5. Open your virtual MFA app and follow the steps below.

  1. If your MFA application supports QR code, scan the provided QR code. Some mobile devices can scan and detect QR code using camera app.
  2. If your MFA application does not support QR code, click on “Show key” and then manually enter the key on the MFA application. If the MFA requires selecting how the code is generated, please select “Time-based”.
Note

If virtual MFA application supports multiple MFA devices or accounts, please select adding new MFA device/account to create a new device or new account.

6. The MFA will periodically generate one-time passwords. Enter the displayed one-time password displayed on the MFA app into the Code 1 field. Wait approximately 30 seconds for the app to generate another one-time password. Enter this new password into the Code 2 field.

Graphical user interface, text, application, chat or text message

Description automatically generated
Figure 4: Enter MFA Code

7. Click on start authentication. After passing the authentication, click on Save and Apply Changes buttons for the settings to take effect. The account has now been successfully bound to the virtual MFA device. An MFA code will now the required to log into the account.

Notes

  1. Please submit your request immediately after generating the code. Otherwise, the TOTP (time-based one-time password) will expire soon. If it’s expired, please start over again.
  2. One user can only be bind to one MFA device.

Using Physical MFA Device

Users will need to purchase a physical MFA device and confirm that the UCM has valid email settings configured with the Type field set to Client. The account being set up for MFA must also have a valid email address configured.

Note

To configure MFA properly, email addresses must be set for the UCM and the desired admin account. This is the only method to disable MFA without logging into the account. If no email address is configured, the account will not be able to log in.

Here are the steps to configure MFA on UCM.

  1. Log into the UCM management portal with the super admin account. Navigate to System Settings🡪Email Settings and configure valid email settings that will allow UCM to send out emails. Make sure that the Type field is set to Client.
  2. On UCM web UI, navigate to Maintenance->User Management page, click to edit the user information. Configure email address for the admin.
  3. Enable Multi-Factor Authentication and select Virtual MFA device certification in the following prompt. Then click on Next.
  4. The following hardware MFA device certification window will appear:
Graphical user interface, text, application

Description automatically generated
Figure 5: Hardware MFA Device Certification

5. Enter the device secret key. Please contact your vendor to obtain the secret key.

Note

The secret key must be the default hex seeds (seeds.txt) or base32 seeds. For example:
HEX SEED: B12345CCE6DA79B23456FE025E425D286A116826A63C84ACCFE21C8FE53FDB22 BASE32 SEED: WNKYUTRG3KE3FFTZ7UIO4QS5FBVBC2HJKY6IJLCP4QOH7ZJ12YUI====

6. In Code 1 field, enter the six-digit code displayed on the MFA device. You will need press the button on the front of the MFA device to display the code. Wait approximately 30 seconds for the device to generate a new code. Enter this second six-digit code into the Code 2 field.

A close up of a digital clock

Description automatically generated with low confidence
Figure 6: Physical MFA Device

7. Click on start authentication. After passing the authentication, click on save and apply for the settings to take effect. Now your account is successfully bind to the MFA device. MFA device code must be entered for the user to log in successfully.

Notes

  1. Please submit your request immediately after generating the code. Otherwise, the one-time password may expire. If it’s expired, please start over again.
  2. Each user can only be bound to one MFA device.

Removing MFA Device

If MFA is no longer needed, MFA can be disabled for the account at any time.

Removing MFA via User Management

  1. Log into the admin account to disable MFA for. Navigate to Maintenance🡪User Management and edit the appropriate account.
  2. Uncheck Multi-Factor Authentication.

Removing MFA via Login Page

  1. On the login page, enter the account credentials. Once the Multi-Factor Authentication window appears, click on the Reset certification link below the Login button.
  2. An MFA removal email will be sent to the user’s associated email address. In the email, click on the Reset Now button to confirm and disable MFA.
  3. This reset email will be valid for 10 minutes and will expire immediately after a user clicks on it.

FAQ

MFA Device Lost or Invalidated

If your MFA device has been lost or no longer works, please follow the instructions below to unbind the MFA device and use a new MFA device.

  1. On the login page, enter the account credentials. Once the Multi-Factor Authentication window appears, click on the Reset certification link below the Login button.
  2. An MFA removal email will be sent to the user’s associated email address. In the email, click on the Reset Now button to confirm and disable MFA.
  3. This reset email will be valid for 10 minutes and will expire immediately after it is clicked on.

SUPPORTED DEVICES

The following table shows all the UCM models which support multi-factor authentication feature:

UCM Models Supporting Multi-Factor Authentication

UCM6300 Series

UCM6300

Firmware 1.0.10.5 or higher

UCM6300

Firmware 1.0.10.5 or higher

UCM6300

Firmware 1.0.10.5 or higher

UCM6300

Firmware 1.0.10.5 or higher

UCM6300 Audio Series

UCM6300A

Firmware 1.0.10.5 or higher

UCM6302A

Firmware 1.0.10.5 or higher

UCM6304A

Firmware 1.0.10.5 or higher

UCM6308A

Firmware 1.0.10.5 or higher

Was this article helpful?

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support

Leave a Comment

We use cookies in order to give you the best possible experience on our website. By continuing to use this site, you agree to our use of cookies.
Accept