How to Set Up MFA

Multi-Factor Authentication on your Comet-Hosted Server

For Self-Hosted Server, please refer to this guide.

Multi-factor authentication (MFA) is an additional layer of protection for your Comet-Hosted Server administrative login account. When this feature is enabled, an additional device (such as a separate device, or a hardware token) is required to log in to the web interface. This means that your password alone is insufficient to log in to the interface.

If you have any external API integrations that are accessing the server using your user account, this may prevent that functionality. To continue using the API simultaneously with protecting your account with MFA, a separate administrator user account should be created exclusively for API usage, with a long randomly generated password.

Comet supports two types of MFA:

1. Time-based One-Time Password (TOTP)
2. Fast IDentity Online 2 (FIDO2) WebAuthn

Time-based One-Time Password (TOTP)

Comet Server supports MFA for administrator accounts in compliance with the TOTP standard. This standard describes a six-digit code that changes every 30 seconds.

Steps to enable TOTP:

1. In your Comet Account Portal, head to My Account then Setup Two Factor Authentication.

2. Scan the displayed QR code with any TOTP application or enter the code manually.

   Recommended TOTP applications:

   • Microsoft Authenticator (Android, iOS)
   • Google Authenticator (Android, iOS)
   • Aegis Authenticator (Android)
   • 2FAS (Android, iOS, browser extension)
   • Keeper (Android, iOS, browser extension, desktop application, web application)
   • Bitwarden (Android, iOS, browser extension, desktop application, web application)

3. Enter the six-digit code displayed on your TOTP application then click on ‘Enable’.

Fast IDentity Online 2 (FIDO2) WebAuthn

Comet Server supports the use of WebAuthn authenticator as a multi-factor authenticator for administrator accounts. This includes the following:

1. TAP1/CTAP2- compatible hardware security keys (e.g., a YubiKey).
   • Any U2F-compatible hardware security keys can be seamlessly used with WebAuthn.
2. Android devices using screen lock authentication (e.g., fingerprint or PIN).
3. Windows Hello (e.g., fingerprint, facial recognition, or PIN) on Windows devices with a valid Trusted Platform Module (TPM).

WebAuthn registration and login are only available in Comet-Hosted Server and Self-Hosted Server using HTTPS, supported in all major modern browsers.

Limitations:

Comet does not support WebAuthn with:

1. Apple Face ID and Touch ID
2. Internet Explorer 11

Steps to enable WebAuthn:

1. In your Comet Account Portal, head to ‘My Account’ and then ‘Setup Two Factor Authentication’.
2. Click on ‘Register’ under WebAuthn.
3. Select the authenticator you would like to use, if prompted. If only one authenticator is available on the device you are using, you won't be prompted.
4. Follow the on-screen prompts on your device to allow the server web interface to access and use your authenticator.
5. If the registration succeeded, the interface would show as ‘Two-Factor Authentication is currently enabled (WebAuthn)'.

Disabling MFA on your Server

Comet Server admin may disable or update MFA methods. Please reach out to hello@cometbackup.com if you lose access to your authentication device and are unable to log in.

Steps to disable MFA:

1. Log in to your Comet Account Portal and head to ‘My Account’ and select ‘Set Up Two Factor Authentication’.
2. Select ‘Disable’ to remove your existing MFA.

Multi-Factor Authentication for Comet Backup Users

Time-based One-Time Password (TOTP) is supported as a multi-factor authentication for Comet Backup end-users using the desktop software.

	Enabling TOTP for Comet Backup users	Disabling TOTP for Comet Backup users
Comet Server admin	No	Yes
Comet Backup users	Yes	Yes

TOTP can only be enabled in the Customer Portal by the end-users. Comet Server admin cannot enable TOTP for a user.

Steps to enable TOTP from the Customer Web Portal:

1. Log in to your Customer Web Portal with the user's credentials.
2. On the top right corner, click on the username and click on ‘My account’.
3. Enable 'Two-factor authentication (TOTP)’ by toggling it on.
4. Scan the displayed QR code with any TOTP application or enter the code manually. Recommended TOTP applications:
   • Microsoft Authenticator (Android, iOS)
   • Google Authenticator (Android, iOS)
   • Aegis Authenticator (Android)
   • 2FAS (Android, iOS, browser extension)
   • Keeper (Android, iOS, browser extension, desktop application, web application)
   • Bitwarden (Android, iOS, browser extension, desktop application, web application)
5. Enter the six-digit code displayed on your TOTP application then click ‘Save’.
6. Click on ‘Save changes’.
   

TOTP can be disabled either by the Comet Server admin or by Comet Backup users. If the user loses access to their authentication device, the admin can disable TOTP on their behalf.

Steps to disable TOTP from Comet Server

1. Log in to your Comet Server then head to the 'Users' tab.
2. Identify and select the user whose TOTP needs to be disabled.
3. Select 'Actions’ then ‘Disabled 2FA (TOTP)’ and then ‘Disable’.

Steps to disable TOTP from the Customer Web Portal

1. Log into your Customer Web Portal with the user's credentials.
2. On the top right corner, click on the username and click on 'My account'.
3. Disable ‘Two-factor authentication (TOTP)’ by toggling it off then click ‘Save changes’.