Looker provides two-factor authentication as an additional layer of security to protect data accessible via Looker. With two-factor authentication enabled, every user must authenticate using a one-time code generated by their mobile device when logging in. The Two-Factor Authentication page in the Authentication section of the Admin menu lets you enable and configure two-factor authentication.
Two-factor authentication does not affect Looker API use.
Using Two-Factor Authentication
Below is the high-level workflow for setting up and using two-factor authentication. Please note the Time Synchronization Requirements, which are required for correct operation of two-factor authentication.
Administrator enables two-factor authentication in Looker’s Admin settings.
Individual users install the Google Authenticator iPhone app or Android app on their mobile devices.
At first login, users will be presented with a picture of a QR code on their computer screen, which they will scan with their phone using the Google Authenticator app. After doing so they will be able to generate authentication keys for Looker.
On subsequent logins to Looker, users will need to enter an authentication key after submitting their username and password.
If a user enables the This is a trusted computer option, the key authenticates the login browser for a 30-day window. During this window the user can log in with username and password alone. Every 30 days Looker requires each user to re-authenticate the browser with Google Authenticator.
Time Synchronization Requirements
Google Authenticator produces time-based tokens, which requires time synchronization between the Looker server and each mobile device in order for the tokens to work. To synchronize time sources:
- Set mobile devices for automatic time synchronization with the network.
- For customer-hosted Looker deployments, ensure that NTP is running and configured on the server. If the server is provisioned on AWS, you might need to explicitly allow NTP in the AWS Network ACL.
- A Looker admin can set the maximum allowed time-drift in the Looker Admin panel, which defines how much of a difference is permitted between the server and mobile devices. If a mobile device’s time setting is off by more than the allowed drift, authentication keys will not work. The default is 90 seconds.