A

Advanced Authentication

Configure two-factor authentication and IP restrictions for enhanced security

Advanced Authentication

Beyond basic password authentication and SSO, Appivo provides additional security controls to protect your tenant. This guide covers two-factor authentication and IP address restrictions.

Two-Factor Authentication

Two-factor authentication (2FA), also known as multi-factor authentication (MFA), adds an extra layer of security by requiring users to provide a one-time password (OTP) in addition to their regular credentials.

How It Works

  1. User enters their username and password
  2. User is prompted for a one-time code
  3. User opens their authenticator app and enters the code
  4. Access is granted if the code is valid

Supported Authenticator Apps

Users can generate OTPs using any TOTP-compatible authenticator app:

AppPlatforms
Google AuthenticatoriOS, Android
Microsoft AuthenticatoriOS, Android
AuthyiOS, Android, Desktop
1PasswordiOS, Android, Desktop, Browser

Enabling Two-Factor Authentication

As an administrator, you can configure 2FA at the tenant level:

  1. Navigate to Tenant Settings > Security
  2. Find the Two-Factor Authentication section
  3. Choose an enforcement option:
OptionDescription
Disabled2FA is not available
OptionalUsers can choose to enable 2FA for their account
RequiredAll users must configure 2FA to access the tenant
Required by Date2FA becomes mandatory after a specified date

Setting an Enforcement Date

If you want to give users time to set up their authenticator apps:

  1. Select Required by Date
  2. Choose a date in the future
  3. Save the configuration

Users will see reminders to set up 2FA until the enforcement date. After that date, they won't be able to log in without completing 2FA setup.

Note: Consider giving users at least 1-2 weeks notice before requiring 2FA.

User Setup Experience

When a user enables 2FA (or when it's required):

  1. User is shown a QR code
  2. User scans the QR code with their authenticator app
  3. User enters the verification code displayed in the app
  4. 2FA is activated for their account
  5. Backup codes are generated for account recovery

Backup Codes

When users enable 2FA, they receive a set of backup codes. These codes:

  • Can be used if the user loses access to their authenticator app
  • Each code can only be used once
  • Users should store them securely (not on the same device as the authenticator)

Resetting 2FA for a User

If a user loses access to their authenticator:

  1. Navigate to Users in the admin panel
  2. Find and select the user
  3. Click Reset 2FA
  4. The user will need to set up 2FA again on next login

IP Address Restrictions

IP restrictions allow you to limit access to Appivo applications from specific network ranges. This is useful for ensuring applications can only be accessed from your corporate network or approved locations.

Use Cases

ScenarioConfiguration
Office-only accessAllow only your office IP range
VPN requiredAllow only your VPN exit IP addresses
Regional restrictionsAllow IP ranges for specific geographic regions
Partner accessInclude partner organization IP ranges

Configuring IP Restrictions

  1. Navigate to Tenant Settings > Security
  2. Find the IP Restrictions section
  3. Click Add IP Range
  4. Enter the IP range in CIDR notation

Supported Formats

Both IPv4 and IPv6 address ranges are supported:

FormatExampleDescription
Single IPv4192.168.1.100Single IP address
IPv4 CIDR192.168.1.0/24Range of 256 addresses
IPv4 CIDR10.0.0.0/8Large corporate network
Single IPv62001:db8::1Single IPv6 address
IPv6 CIDR2001:db8::/32IPv6 address range

Multiple Ranges

You can configure multiple IP ranges to accommodate different networks:

  • Main office network
  • Branch office networks
  • VPN exit points
  • Remote worker approved locations

Each range is evaluated independently - access is granted if the user's IP matches any configured range.

Testing IP Restrictions

Before enforcing IP restrictions:

  1. Add your current IP address range first
  2. Test access from within the allowed range
  3. Verify that access is blocked from outside the range (using a different network or mobile data)
  4. Have another administrator available in case you get locked out

Warning: Be careful when configuring IP restrictions. If misconfigured, you could lock yourself out of the admin panel.

Bypass for Administrators

Consider whether administrators should be able to bypass IP restrictions for emergency access. Options include:

  • Maintaining a separate admin access range
  • Creating a break-glass procedure with a super-admin account
  • Using a VPN that terminates at an allowed IP

Combining Security Controls

For maximum security, combine multiple authentication controls:

ConfigurationSecurity LevelUser Experience
Password onlyBasicSimple
Password + 2FAStrongModerate friction
SSO onlyStrongSeamless (if already logged into IdP)
SSO + IP RestrictionsVery StrongSeamless within network
SSO + 2FA + IP RestrictionsMaximumHigher friction

For most organizations:

  • Enable SSO with your corporate identity provider
  • Require 2FA for administrator accounts
  • Consider IP restrictions for sensitive applications

For high-security environments:

  • Enable SSO with your corporate identity provider
  • Require 2FA for all users
  • Enforce IP restrictions to corporate network
  • Implement session timeout policies

Troubleshooting

User Can't Complete 2FA Setup

  • Verify the user's device time is synchronized (TOTP codes are time-sensitive)
  • Have the user try a different authenticator app
  • Check that the QR code is being scanned correctly

User Blocked by IP Restriction

  • Verify the user's current IP address
  • Check if the IP falls within an allowed range
  • Consider if the user is behind a proxy or NAT that changes their apparent IP

2FA Codes Not Working

  • Ensure the device clock is accurate (within 30 seconds)
  • Verify the user is using the correct account in their authenticator app
  • Check if backup codes are available

Next Steps