For hackers, entering websites and web applications through the front door - login pages – is the standard operating procedure. The reason? A recent study showed that 90 percent of user-generated passwords are vulnerable to hacking.
That’s why, when it comes to your most sensitive login pages, traditional password protection is simply not enough. Now, Incapsula Login Protect adds a crucial layer of security to login pages, enabling organizations to implement two-factor authentication, seamlessly and simply.
Two-factor authentication means that, in addition to their standard username and password, users entering sensitive login pages are required to provide a one-time, time-limited code –received in real time via SMS, email or Google Authenticator. This added layer of authentication uses something you know—your password—and something you have—a physical device such as a phone, access to an email account, etc.
Uniquely, Login Protect enables Incapsula clients to set up an additional layer of authentication for any URL with no overhead, no special equipment, and no learning curve.
Incapsula Login Protect adds a crucial layer of security to sensitive login pages with minimum setup overhead. Implementing Incapsula Login Protect is as easy as 1-2-3:
- Choose the URL you want to protect
- Choose your preferred method of authentication for this URL
- Choose the users that can access this URL
Incapsula Login Protect authenticates with a one-time passcode that can be received via:
- Email (for all Incapsula plans)
- Google Authenticator (for Incapsula Pro Plan clients, and above)
- SMS (for Incapsula Business Plan clients, and above)
In this document, you’ll learn how to:
- Set up Incapsula Login Protect
- Log in with Incapsula Login Protect
Setting up Login Protect
- Log in to your my.incapsula.com account.
- On the sidebar, click Websites (default).
- Click a site name to access the site's dashboard.
- On the sidebar, click Settings.
- Click Login Protect.
If Login Protect is not yet enabled, click Enable.
On the Login Protect Settings screen, define the following parameters:
Protected Pages refer to sensitive pages on your website, such as an admin login page, for which you want to add an extra layer of security.
Click on the Add Page button and select either a specific URL to protect or a URL pattern (for example, any page whose URL ends with /admin). Any number of URLs or URL patterns may be entered, as long as they are all within the same top-level domain (for example, all start with www.mydomain.com).
The option to exclude resources defined in the Protected Pages section from being protected by two-factor authentication.
Protected Pages rule is : “URL is: /wp-admin “
Excluded Pages rule is : “URL is: /wp-admin/admin-ajax.php“
In this case, all resources under wp-admin will require "two-factor authentication" except from admin-ajax.php.
Methods and Notifications
This section lets you define the authentication mechanisms by which users can receive a one-time passcode.
Select one or more of the following authentication methods:
- Email: User receives an email with a one-time passcode.
- Text Message (SMS): User receives a text message with a one-time passcode.
- Google Authenticator: User can get the one-time passcode via the Google Authenticator mobile application. Learn more about Google Authenticator here.
This section lets you define which users are allowed to access Protected Pages after authentication. Login Protect enables two methods for selecting the group of Login Protect users that will be authorized to access Protected Pages:
- Authorize all Login Protect users in this account: this option will automatically authorize all existing and future Login Protect users, even if they are added as users on other sites.
- Select authorized users from list: this option can be used for selecting a subset of Login Protect users from the Login Protect users list
Login Protect Users List
The Login Protect users list is an account level setting of all the Login Protect users defined for all of your Incapsula-protected sites. Users can be invited via email or added as a group by uploading a CSV file.
To access the Login Protect Users List: On the sidebar, click Management > Login Protect.
Clicking on the blue Add User button on the Login Protect Users List page (or clicking the “Add users” on the site settings page) opens the Request Users to Activate dialog. This dialog enables you to easily add new users to the Login Protect List, who can then be granted access to your protected page.
To add a new user, enter his/her email address, and click “Send.” You can add multiple users by entering their e-mails, separated by commas or semi-colons, with or without spaces. Each user receives an email with a link, leading him/her to the user activation page. The e-mails are received separately so that no user can see what other users received. The subject and body fields are editable, so you can customize them as much as you like. Each user receives the following emails:
User Activation Process
On the activation page, the prospective user is required to identify him/herself by name, and then activate the various methods of authentication, depending on the Incapsula service plan. The site’s admin can enable any or all of the available methods, in line with the Incapsula service level, separately for each site.
- Email – this option is automatically activated, since the prospective user has received the enquiry via email. Email authentication allows the user to authenticate using a code sent to his/her email address on each login. The complete procedure for login is described below, in “Logging in with Login Protect.”
- SMS - to set up SMS authentication (business accounts and up) user should do the following:
1. Enter the phone number where Incapsula should send the text with the code for authentication.
Note: Users must have the phone with them when setting this up. The system will prompt the user to enter a confirmation code before allowing them to set a phone number.
2. User clicks Get Activation Code.
3. Incapsula sends a verification code to the phone number indicated.
4. In the Authentication Code field, the user types in the code received as a text message and clicks Activate.
Login Protect is now set up for text messaging. Text Message authentication allows the administrator to authenticate using a code texted to the phone on each login. The complete procedure for login is described below, in “Logging in with Login Protect.”
- Google Authenticator -To set up Google Authenticator authentication, users need to:
- Download the Google Authenticator (Android or iPhone) on his/her mobile device.
- Scan the QR code that appears on the User Activation screen from within the Google Authenticator App.
- Type in the code that appears on the phone and click Activate.
4. The system confirms that authentication using Google Authenticator is enabled.
When all authentication methods have been activated, clicking on I’m Done adds the users to the Login Protect List. The user is redirected to the following screen, showing the websites to which he/she now has access using Login Protect:
Logging in with Login Protect
Once the Login Protect has been activated for a given URL, logging into that page requires a one-time authentication for every subsequent entry, as follows:
When a user attempt accesses the protected URL, he/she is automatically redirected to an Incapsula Login Protect screen. There, he/she is prompted to enter an email address for initial identification, and then to choose a preferred method of authentication:
- The user clicks either “Text Me” or “Email Me”, or, if he/she has Google Authenticator, simply opens the app on his/her phone and uses the code from the app. All or only some of these options will be shown, depending on the site admin’s preference and/or Incapsula account plan.
- The system sends the code using the method indicated.
- The user types the code receives into the relevant field.
- If the computer is the user’s personal computer or mobile device, and is used by no one else, he/she can also check “Trust this computer” disabling the need to use double-authentication for each log in from that specific device for 14 days.
- User clicks Submit to enter the standard login page.
Note: The codes received via Email or SMS are valid for 5 minutes. The codes received via Google Authenticator are valid for 30 seconds, which is the application's refresh interval.
Resending Activation Email
If a user, for whatever reason, did not activate his/her Login Protect account following receipt of the activation email from the Incapsula administrator, he/she will not be able to access the protected URL.
When attempting to access the protected URL, the user will arrive at the Login Protect login screen:
Clicking on “Didn’t Configure Login Protect Authentication” will take the user to the following screen:
From this screen, the user can receive another activation email, and begin the process of authentication described above.