What is 2FA?
Two-factor authentication provides an extra layer of security when users sign into Socrata-powered sites. When 2FA is enabled, specified users will be requested to enter a 6-digit verification code in addition to their password to log into a site. The feature cannot be used if you are using Single Sign-On.
Site administrators can choose to enforce 2FA for an entire e-mail domain (i.e. @socrata.com) and/or for specific email addresses*. It is not possible to require 2FA for any and all users who may access your site - only for those users, you specify.
*Note: If a user email is changed, 2FA will need to be re-applied to the new email address.
How does Socrata enforce 2FA?
Socrata uses authentication apps (e.g. Google Authenticator, Microsoft Authenticator) to enforce 2FA. Users first install an app like Google Authenticator app on their mobile phone, which allows them to scan the QR code on the screen during the initial setup. These applications are available for free from Google Play (for Android users) and the Apple Store (for iPhone users).
Is 2FA compatible with all Socrata products?
This feature is currently compatible with the following Socrata products: Open Data, SCGC, and Open Performance. It is not yet available for Public Finance or Public Safety products. Stay tuned to our Product News for updates.
Will 2FA affect DataSync jobs and other types of authentication?
No, 2FA will only be enforced when a user is signing in through the Socrata web interface.
How can I request 2FA for my Socrata-powered site?
This feature is available to Socrata customers at no additional cost. To request 2FA for your site, contact email@example.com. In your request, please specify how you would like to enforce 2FA. You can choose from the following options:
- Enable 2FA for an entire e-mail domain(s) that you own (for example, Socrata would use @socrata.com). This will require all users with the specified e-mail extension to use 2FA when logging in.
- Enable 2FA for a specific set of users. This will limit 2FA to particular users based on the e-mail addresses you provide. All other users will continue to sign into your site as usual, without 2FA.
- Enable 2FA for entire e-mail domains as well as for specified users with different e-mail extensions. This could be useful if you wish to require 2FA for all users with an official e-mail extension (i.e. @socrata.com), as well as contractors or partners with different e-mail extensions.
What will users experience after 2FA is enabled?
The users specified in your 2FA configuration request will first enter their username and password on the login page for your site, as usual. They will then see this screen:
Using Google Authenticator or another similar app, they will need to scan the barcode to create an account for the Socrata site. The app will then provide a 6-digit verification code that can be entered to complete the login process.
On all subsequent login attempts, users will see the following screen after entering their username and password. Simply open the authenticator app to retrieve the required code.
What happens if I no longer have access to the device I use for two-factor authentication? (i.e. lost, stolen, or broken phone)
Please contact Socrata Support at firstname.lastname@example.org and we will begin the secure process of resetting two-factor authentication on your Socrata account.