Skip to main content

How do I move my Cerberus two factor authentication to a new phone?

Ian Butteriss
  • Updated

If you have obtained a new mobile phone and you are using two factor authentication with Cerberus, there are two steps involved in moving it to your new phone. First is setting up the your authentication app of choice. Instructions for this can be found online and is done outside of Cerberus.

In Cerberus, it will depend if the user is a native, AD or LDAP type and also if the user is a member of a group that group has a 'Blanket' multifactor requirement.

Native Cerberus users (set up in 'Users' > 'Users') Not in a group with a blanket MFA policy:

  1. Go to 'User Manager' > 'Users' and select the affected user
  2. Select 'Authentication'. Click 'Disable 2FA ', then click 'Update User'
  3. Have the user log in and set up MFA again (scanning the QR code with the new device)

Native Cerberus users assigned to a group that has the the MFA requirement set up:

You will need to temporarily override the group MFA requirement for just the user, then restore the requirement for the user, which will force them to establish MFA again.

  1. Go to 'User Manager' > 'Users' and select the affected user
  2. Select 'Authentication'. Click on the grey 'heads' icon to the right of the 'SSH Authentication Method' options to override the group assignment for this user.
    users_authentication_requirements_2fa_override.jpg
  3. Click 'Update User' at the bottom-right to ensure you have saved the override.
  4. Go back to Authentication for the affected user and click on 'Disable 2FA' to disable 2FA on the user, then click 'Update User'.
  5. Go back Authentication for the user a third time, select the affected user, Click on the blue single 'head' icon to the right of the 'SSH Authentication Method' options to restore the group assignment for this user, then click 'Update'.
  6. DUO USERS: If you use the Cerberus integration with DUO, you MUST log into DUO and delete the user's device by following these instructions: What should I do if my authentication device is lost or stolen?
  7. Have the user log in and set up MFA again (scanning the QR code with the new device)

Active Directory or LDAP users:

If you're using Active Directory or LDAP users, and the MFA requirement is set up on the default group the users are assigned to, you can do a one-time disablement of that user's 2FA requirement. The next time the user logs in, they will be required to set up 2FA again. Note: these instructions are for version 11 or above:

  1. In the Cerberus UI or Web Admin client, Click on 'AD Users' or 'LDAP Users' (depending on your set up)
  2. Select User MFA Settings'
  3. Select the affected user from the drop down
  4. The user setting should say 'Enabled'. Click 'Disable 2FA' to disable their 2FA requirement

    ad_users_MFA_settings.jpg
  5. The user can now log in and be required to set up 2FA again. They should do it on their new device. Also advise the user to clear their browser cache before logging in, just in case there is any old session data lingering. 
    Basically this removes and re-adds 2FA for this user.

Related articles

Comments

0 comments

Please sign in to leave a comment.