Share

Configuring two-step verification

Important:

This topic is intended for Customers that have Autodesk Accounts (when Flow Production Tracking sites have been migrated). For more information about using two-factor authentication with sites prior to migrating to Autodesk Accounts or when using Legacy Logins and Passphrases for authentication, see this section instead.

Enforcing 2-factor authentication for users

As a site administrator, you can force users to enable 2-Factor Authentication (2FA) on their Autodesk Account to sign in your Flow Production Tracking site. By activating the Enforce Two-Factor Authentication for Autodesk ID preference, you prevent users from connecting to the site unless they have also configured 2FA on their Autodesk Account.

Note:

Enforce Two-Factor Authentication for Autodesk ID enforces only 2FA for Autodesk ID from non-SSO sessions. For Autodesk ID from SSO sessions, the 2FA must be configured by your SSO administrator for your Identity Provider.

Enforce Two-Factor Authentication for Autodesk ID is found in the Site Preferences > Security settings.

location for enforce 2fa security setting

Configuring 2FA for your account

Configuring a 2FA for your account is a good security practice. You can configure your 2FA settings from https://profile.autodesk.com/.

2FA-settings-1

2FA deactivated for the user account

2FA-settings-1-off

2FA activated for the user account

2FA-settings-1-on

To learn more, see Set up two-step verification.

Site expiry

Learn about configuring your site expiry here. A session is considered expired if its last update was more than 1 hour/day/week in the past depending on how this security setting is configured. Every time you interact with Flow Production Tracking, the session is updated. Thus, the session’s expiration gets pushed back as the user interacts with the software.

When accessing Flow Production Tracking with a session generated from the API, sessions are subject to this session expiration setting.

Sessions in a web browser—initiated by logging in with Autodesk Identity are controlled differently. In that case, it is the Autodesk Identity session duration that controls the session expiry (based on your browser cookies). These Autodesk Identity sessions are valid for 13 days. That said, if Flow Production Tracking redirects the user back to Identity to validate their session, they will need to re-authenticate.

For 2FA tokens requested with API connections, this setting is specific to Flow Production Tracking's authentication, and independent of Autodesk Identity's. You can enable/disable this with this Security setting in Site Preferences. If you are able to securely identify the user requesting a new session, then the 2FA may be unnecessary.

Was this information helpful?