Autenticación de múltiples factores
¿Qué es la autenticación de múltiples factores (AMF)?
La autenticación de múltiples factores Multi-factor authentication (MFA) es un método de Autenticación que requiere que el usuario proporcione dos o más factores de verificación para ganar acceso a una cuenta en línea como un sitio Moodle. Los factores pueden ser algo que los usuarios conocen, como una contraseña, algo que ellos tiene, como un teléfono o un 'token' de seguridad, o algo de ellos, como una huella digital.
MFA ayuda a mejorar la seguridad de su sitio Moodle porque es más dificil para los atavantes el comprometer múltiples factores.
Gestionar autenticación de múltiples factores
Desde la Administración del sitio > Plugins > Herramientas administrativas > Gestionar autentificación de múltiples factores, usted puede activar AMF al activar la casilla para del plugin de AMF habilitado.
Si usted está configurando AMF para su sitio por primera vez, le recomendamos que revise las If you’re configuring MFA for your site for the first time, we recommend that you check out the Autenticación de múltiples factores#Recomendaciones y configuraciones de ejemplo para agiizar la experiencia para sus usuarios.
Nota: Urgente de Traducir. ¡ Anímese a traducir esta muy importante página !. ( y otras páginas muy importantes que urge traducir)
Ponderaciones y factores
In Site administration > Plugins > Admin tools > Manage multi-factor authentication, you can see a list of the available factors and select the ones that make up MFA for your site.
These factors have weight points, and users have to reach 100 points in order to be able to log in. By configuring multiple factors and adjusting their weights, you can create complex and flexible rules for multi-factor authentication.
For example, you could have two factors with 100 points each, if you want to give users different methods of authentication. Or you could have two factors with 50 points each, meaning that users will have to go through both factors to be able to log in.
During the login process, factors that don't require user input, like IP address or user role, are assessed first. Then, the remaining factors are evaluated in order of weight, starting from the highest, until either the cumulative points reach the login threshold (100) or all factors have been checked and login is denied.
Factores de autenticación disponibles
Factores de autenticación estánda
These are well known, usual authentication factors used in many products and software:
Email: This factor requires users to enter a code received via email during the login process. When a user attempts to log in, the system generates a unique, temporary code and sends it to the user’s registered email address. The user must then enter this code along with their password to successfully complete the login process. This code has a limited validity period, which you can customise, ensuring that it cannot be used for unauthorised access.
App autenticadora: This factor uses a mobile application to generate a temporary code for user authentication. During the login process, Moodle prompts the user to enter a code generated by their authenticator app, in addition to their password. This code changes periodically, ensuring that it can’t be reused for unauthorised access. Users must have an app installed on their mobile device and configure this factor themselves.
Clave de seguridad: This factor utilises physical hardware tokens, like USB or NFC security keys, or physical biometrics such as fingerprints. During the login process, users must physically use their security on their device to verify their identity. Users must configure this factor themselves.
Rango de IP: This factor utilises users’ IP address to verify their identity, providing enhanced security when accessing from a trusted network. It requires no upfront setup from your users, allowing you to configure full login access on a trusted network. This factor requires no setup by your users.
SMS teléfono móvil: This factor requires a mobile phone capable of receiving SMS (text) messages. During the login process, Moodle generates a unique, one-time code and sends it to the user's registered mobile phone number via SMS. The user enters this code along with their password to successfully complete the login process. Users must configure this factor themselves. Find out more from Puertas de enlace (gateways) SMS.
Factores de filtrado del usuario
Los Factores de filtrado del usuario son una manera de crear fácilmente grupos de usuarios a los que SI o NO se les requerirá que usen la autenticación pde múltiples factores (AMF).
No administrador: This factor requires only administrators to have two or more authentication factors, while not affecting other users. It does so by giving factor points to all users who are not an administrator.
Tipo de autenticación: This factor allows certain users to skip additional authentication steps based on their authentication type. This can be useful for situations where certain authentication types, such as SAML via ADFS , already provide a high level of security, making additional authentication checks unnecessary.
Rol: This factor has to be used in combination with other factors, as it allows you to specify which roles must use other factors to authenticate. For example, it enables you to require that individuals with elevated access privileges, such as managers and administrators, undergo a more stringent authentication process, while other non-specified roles such students can bypass MFA.
Cohorte: Este factor requiere ser usado en combinación con otros factores, porque le permite a usted especificar cuáles cohortes deben usar otros factores para autenticar.
Capacidad del usuario: This factor is similar to the Role factor, and must also be combined with other factors, as it allows you to specify which users must use other factors to authenticate. It does so by checking whether users have the capability ‘factor/capability:cannotpassfactor’ at system level. Users who do not have the capability ‘factor/capability:cannotpassfactor’ will be given points for this factor and can bypass MFA, while users with this capability will need to use another type of authentication.
For example: You assign the capability ‘factor/capability:cannotpassfactor’ to all Managers, and also enable the Email factor. When a Manager logs in, they will have to use the Email factor. But when a student tries to log in, they will not.
Since Admin users have all capabilities allowed by default, including “factor/capability:cannotpassfactor”, there’s an additional setting that will allow Admins to gain points for this factor despite having the capability.
Otros factores
These factors provide additional flexibility and control over the authentication process.
Confiar en este dispositivo: This factor allows users to mark a device as trusted during MFA logins. Once a device is designated as trusted, users can bypass MFA for a specified period of time when logging in from that device.
To implement this feature effectively, assign a score of 100 points to this factor.
Período de gracia: This factor is essential when you turn on factors that require upfront setup from users, like authenticator app or security key. It allows users to log in without engaging with multi-factor authentication (MFA) for a specified time frame, providing a buffer period to complete the setup of additional authentication factors. If a user is still within their grace period upon reaching the first post-login page, regardless of whether they used grace mode as a login factor, a notification will inform them of the remaining grace period length and the potential need to set up additional factors to prevent account lockout when the grace period expires.
To implement this feature effectively, assign a score of 100 points to this factor. To receive points for this factor, there must be no other user-input factors requiring user interaction during the login process. Place this factor at the end of the list to ensure all other factors are addressed first.
If the grace period ends and users have not set up their authentication methods, they will not be able to log in to your site. You can extend the grace period to allow them to log in, or enable other factors temporarily, such as IP range or role.
Sin otros factores: Este factor le permite a la gente ingresar si ellos aun no han configurado otros factores para MFA. Por ejemplo, si usted quiere ofrecer AMF a sus usuarios, pero sin hacerla obligatoria, dele 100 puntos a ‘ningún otro factor’ para permitirles a aquellos que no quieran usar MFA para ingresar al sitio. Una vez que algún otro factor esté configurado para un usuario, ese usuario ya no podrá ganar puntos por este otro factor.
Configuración del usuario
If you enable the factors Authenticator app and Security key, your users will need to configure multi-factor authentication themselves. The authentication settings can be accessed through User menu > Preferences > Multi-factor authentication preferences. There, they will be able to set up and manage their authenticator apps or security keys, as well as revoke access to any factors they have configured.
It is important to note that a user will not be able to revoke a factor without having at least one other factor set up. This will reduce the chances of locking a user out without another way to authenticate.
Recomendaciones y configuraciones de ejemplo
When setting up MFA for your site, it’s important to ensure that you’re making your site more secure, but also creating a good experience for your users, including making sure that they are able to log in if they follow the right steps. Here are some recommendations to ensure that MFA is streamlined for your users:
- Make sure you turn on the Grace period factor when you turn on an authentication factor that requires users to configure something themselves (Authenticator app or Security key). This will give your users time to set up MFA before they are required to use it.
- If you don’t want to make MFA mandatory, enable No other factors. This will allow users with no other factors to log in using only their password.
- IP range factor is a very straightforward authentication method if all your users are using the same network. Once users are logged in using this factor, you can allow them to set up additional factors, such as an authenticator app, and then use those other factors to log in when not on your secure network.
- The SMS mobile phone factor relies on Amazon Simple Notification Service (SNS) for the delivery of secure and efficient SMS messages.
Cofiguraciones de ejemplo
These are some examples of common MFA setups to increase the security of your Moodle site.
a) Verificación de Email
- Enable MFA.
- Turn on factor Email and give it 100 points.
- You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.
- Let your users know that email verification is now enabled. Next time your users try to log in, they will see a message that asks them to check their email and enter a code that has been sent there.
b) App autenticadora
- Enable MFA.
- Turn on the factor Grace period and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the Grace period warning banner to let your users know that MFA will be enabled soon and encourage them to set up their authenticator app.
- Turn on the factor Authenticator app and give it 100 points.
- You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.
c) Email O App autenticadora
- Enable MFA.
- Turn on the factor Email and give it 100 points.
- Turn on the factor Grace period and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the Grace period warning banner to let your users know that MFA will be enabled soon and encourage them to set up their authenticator app.
- Turn on the factor Authenticator app and give it 100 points.
- You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.
d) Email Y App autenticadora
- Enable MFA.
- Turn on the factor Email and give it 50 points.
- Turn on the factor Grace period and give it 100 points. This will allow your users a period of time to set up their authenticator apps and prevent them from being locked out of your site. Use the Grace period warning banner to let your users know that MFA will be enabled soon and encourage them to set up their authenticator app.
- Turn on the factor Authenticator app and give it 50 points. Users will have to pass both factors to get to 100 points and be able to log in.
- You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.
e) SMS Teléfono móvil:
- Enable MFA.
- Turn on the SMS Mobile phone and give it 100 points.
- Configure your SMS gateway (Site administration > SMS > Manage SMS gateways). Step by step information can found in the SMS gateway management documentation.
- Inform your users that SMS mobile phone verification is now activated. During their next login, they can proceed to set up SMS mobile phone authentication in the user profile preferences page.
- You can turn on Trust your device to allow your users to bypass MFA for a specified period of time after they have verified it with MFA for the first time.
Resumen de buenas condiciones para ingresar
Aquí están enlistados los factores seleccionados y su ponderación total, que suman 100.
Configuraciones generales de AMF
- The MFA plugin enabled box should be checked for MFA to work.
- From this section you can add any relative URL from the siteroot for which the MFA check will not redirect from
- Links to any guidance pages or files may be uploaded here.
Administrador expulsado del sitio - cómo resolverlo
Be careful as an administrator when configuring and testing the factors that you do not lock yourself out of the site. If you do then MFA can be disable from the command line by entering:
: php admin/cli/cfg.php --component=tool_mfa --name=enabled --set=0
Vea también
seleccionar los 'factores' que se deben satisfacer para poder ingresar. Estos factores deben de sumar un total de 100. Al configurar múltiples factores y ponderarlos usted puede fácilmente tener reglas bastante complejas y flexibles.
No administrador: Este factor le permite dar puntos gratis a un usuario que NO es administrador. Esto facilita el pedirle a los administradores que tengan 2 o más factores mientras que no afecta a los usuarios normales.
Tipo de autenticación: Aquí usted puede especificar con ciertos tipos de Autenticación, como por ejemplo SAML vía ADFS que ya tienen 100 puntos, dejarlos exentos de comprobaciones adicionales.
Capacidad del usuario: Este factor comprueba si es que el usuario tiene una capacidad, en el contexto sistema. Si el usuario tiene esta capacidad, NO ganarán los puntos por este factor, y en su lugar deberán usar otros factores para autenticarse con el sistema. Esto es similar al factor no-administrador, pero opera en base a un rol. En la práctica, la capacidad 'factor/capability:cannotpassfactor' debería de estar dada a roles que deben de usar otros factores para autenticarse en el sistema. Existe una configuración adicional para este factor que le permitirá a los administradores ganar puntos para este factor, ya que de forma predeterminada ellos siempre ganarán cero puntos por este factor.
Cohorte: Este factor requiere que el usuario esté en una Cohorte particular para poder ingresar.
Nota: Urgente de Traducir. ¡ Anímese a traducir esta muy importante página !. ( y otras páginas muy importantes que urge traducir)
Email: A simple factor which sends a short lived code to your email which you then need to enter to login. Generally speaking this is a low security factor because typically the same username and password which logs you into moodle is the same which logs you into your email so it doesn't add much value.
Período de gracia: This allows users to log in without interacting with MFA for a set period of time. Users can only achieve the points for this factor if there are no other input factors for them to interact with during the login process. This factor should be placed last in the list, that way all other factors are interacted with during the login process first. On the first page after login, if a user is currently within their grace period, regardless of whether they used gracemode as a login factor, they are presented a notification informing them of the grace period length, and that they may need to setup other factors or risk being locked out once the grace period expires.
Rango IP: Use este factor si usted está en una red segura. Esto es muy útil porque no requiere de configuración de parte del usuario final, por lo que usted puede ingresar completamente vía una red segura, y una vez ingresado pueden configurar otros factores como por ejemplo TOTP (Timebased One Time Password), y entonces usar esos otros factores para ingresar cuando no estén dentro de una red segura.
Sin otros factores: esto está diseñado para permitirle a la gente el pasar solamente si ellos aun no han configurado otros factores para MFA.
Rol:This factor checks whether a user has any chosen roles assigned in any context, and does not provide points if that is the case. This can be used to ensure the selected roles must use a higher level of authentication such as TOTP (Timebased One Time Password), while letting non-specified roles authenticate seamlessly. This factor should generally have high privilege roles such as manager and administrator selected to enforce higher account security for these groups. Confiar en este dispositivo:
App autenticadora: Este factor envía un código a una App autenticadora que un usuario ya ha instalado en su teléfono inteligente. Otro término es TOTP (Timebased One Time Password).
Clave de seguridad:
Resumen de buenas condiciones para ingresar
Aquí están enlistados los factores seleccionados y su ponderación total, que suman 100.
Configuraciones generales de MFA
- The MFA plugin enabled box should be checked for MFA to work.
- From this section you can add any relative URL from the siteroot for which the MFA check will not redirect from
- Links to any guidance pages or files may be uploaded here.