For hackers, entering websites and web applications through the front door - login pages – is standard operating procedure. The reason? A recent study showed that 90 percent of user-generated passwords are vulnerable to hacking.
That’s why, when it comes to your most sensitive login pages, traditional password protection is simply not enough. Now, Incapsula Login Protect adds a crucial layer of security to login pages, enabling organizations to implement two-factor authentication, seamlessly and simply.
Two-factor authentication means that, in addition to their standard username and password, users entering sensitive login pages are required to provide a one-time, time-limited code –received in real time via SMS, email or Google Authenticator. This added layer of authentication uses something you know—your password—and something you have—a physical device such as a phone, access to an email account, etc.
Uniquely, Login Protect enables Incapsula clients to set up an additional layer of authentication for any URL with no overhead, no special equipment, and no learning curve.
Incapsula Login Protect adds a crucial layer of security to sensitive login pages with minimum setup overhead. Implementing Incapsula Login Protect is as easy as 1-2-3:
- Choose the URL you want to protect
- Choose your preferred method of authentication for this URL
- Choose the users that can access this URL
Incapsula Login Protect authenticates with a one-time passcode that can be received via:
- Email (for all Incapsula plans)
- Google Authenticator (for Incapsula Pro Plan clients, and above)
- SMS (for Incapsula Business Plan clients, and above)
In this document, you’ll learn how to:
- Set up Incapsula Login Protect
- Log in with Incapsula Login Protect
Setting up Login Protect
Once you’ve added your site to Incapsula, enter the Incapsula admin interface and click on the Login Protect icon on the left navigation pane. This will take you to the Login Protect Settings Screen:
On the Login Protect Settings screen, define the following parameters:
1. Protected Pages
“Protected Pages” refer to sensitive pages on your web site, such as an admin login page, for which you want to use Incapsula Login Protect to achieve an extra layer of security.
Click on the ”Add Page” button, and choose either a specific URL to protect, or a URL pattern (any page whose URL ends with /admin, for example). Any number of URLs or URL patterns may be entered, as long as all are within the top-level domain (for example, all start with www.mydomain.com.
2. Excluded Pages
"Excluded Pages" refer to pages or resources that need to be accessible publicly, even though the URL which contains it was added to the Protected Pages section.
A good example would be the WordPress administrator's URL - /wp-admin.
While adding /wp-admin to the Protected Pages section, it is important to take into consideration the resources that still require to be publicly accessible to the all users (e.g. /wp-admin/admin-ajax.php).
3. Authentication Methods
Authentication Methods refer to the method by which Incapsula Login Protect will authenticate the identity of your users, prior to enabling them access to Protected Pages.
Choose one or more authentication methods:
- Email: user will receive an email with the one-time login code
- SMS: for Incapsula Business Plan clients and above, user receives an SMS with the one-time login code
- Google Authenticator: for Incapsula Pro Plan clients and above, user can check receive the one-time login code via Google Authenticator. Learn more about Google Authenticator here.
4. Authorized Users
Users on the Allowed Users list can access Login Protect protected pages after authentication. Users may be selected from the Login Protect List of users. The Login Protect List of an Incapsula account encompasses all users of all sites covered by the specific Incapsula account.
- Choosing Authorize all Login Protect users in this account enables any users in your Login Protect List to access the protected page, following authentication.
- Choosing Select authorized users from List opens the Login Protect List in table format below, allowing you to choose the specific users that can access the protected page, following authentication.
5. Login Protect Users List Page
The Login Protect Users List of an Incapsula account encompasses all users of all sites covered by the specific Incapsula account. The Login Protect List page is accessed via the Login Protect tab, on the Account Settings page.
On the Login Protect Users List page, all user details may be edited and new users may be added. Users may also be deleted, revoked or re-added. User status is listed as Activation Request Sent or Active.
6. Adding Users
Clicking on the blue Add User button on the Login Protect Users List page (or clicking the “Add users” on the site settings page) opens the Request Users to Activate dialog. This dialog enables you to easily add new users to the Login Protect List, who can then be granted access to your protected page.
To add a new user, enter his/her email address, and click “Send.” You can add multiple users by entering their e-mails, separated by commas or semi-colons, with or without spaces. Each user receives an email with a link, leading him/her to the user activation page. The e-mails are received separately, so that no user can see what other users received. The subject and body fields are editable, so you can customize them as much as you like. Each user receives the following e-mails:
7. User Activation Process
On the activation page, the prospective user is required to identify him/herself by name, and then activate the various methods of authentication, depending on the Incapsula service plan. The site’s admin can enable any or all of the available methods, in line with the Incapsula service level, separately for each site.
- Email – this option is automatically activated, since the prospective user has received the enquiry via email. Email authentication allows the user to authenticate using a code sent to his/her email address on each login. The complete procedure for login is described below, in “Logging in with Login Protect.”
- SMS - to set up SMS authentication (business accounts and up) user should do the following:
1. Enter the phone number where Incapsula should send the text with the code for authentication.
Note: Users must have the phone with them when setting this up. The system will prompt the user to enter a confirmation code before allowing them to set a phone number.
2. User clicks Get Activation Code.
3. Incapsula sends a verification code to the phone number indicated.
4. In the Authentication Code field, the user types in the code received as a text message and clicks Activate.
Login Protect is now set up for text messaging. Text Message authentication allows the administrator to authenticate using a code texted to the phone on each login. The complete procedure for login is described below, in “Logging in with Login Protect.”
- Google Authenticator -To set up Google Authenticator authentication, users need to:
- Download the Google Authenticator (Android or iPhone) on his/her mobile device.
- Scan the QR code that appears on the User Activation screen from within the Google Authenticator App.
- Type in the code that appears on the phone and click Activate.
4. The system confirms that authentication using Google Authenticator is enabled.
When all authentication methods have been activated, clicking on I’m Done adds the users to the Login Protect List. The user is redirected to the following screen, showing the websites to which he/she now has access using Login Protect:
Logging in with Login Protect
Once Login Protect has been activated for a given URL, logging into that page requires a one-time authentication for every subsequent entry, as follows:
When a user attempts accesses the protected URL, he/she is automatically redirected to an Incapsula Login Protect screen. There, he/she is prompted to enter an email address for initial identification, and then to choose a preferred method of authentication:
- The user clicks either “Text Me” or “Email Me”, or, if he/she has Google Authenticator, simply opens the app on his/her phone and uses the code from the app. All or only some of these options will be shown, depending on the site admin’s preference and/or Incapsula account plan.
- The system sends the code using the method indicated.
- The user types the code receives into the relevant field.
- If the computer is the user’s personal computer or mobile device, and is used by no one else, he/she can also check “Trust this computer” disabling the need to use double-authentication for each log in from that specific device for 14 days.
- User clicks Submit to enter the standard login page.
Note: The codes received via Email or SMS are valid for 5 minutes. The codes received via Google Authenticator are valid for 30 seconds, which is the application's refresh interval.
Resending Activation Email
If a user, for whatever reason, did not activate his/her Login Protect account following receipt of the activation email from the Incapsula administrator, he/she will not be able to access the protected URL.
When attempting to access the protected URL, the user will arrive at the Login Protect login screen:
Clicking on “Didn’t Configure Login Protect Authentication” will take the user to the following screen:
From this screen, the user can receive another activation email, and begin the process of authentication described above.