1) Overview
Clicking on the button containing the user's name, on the top right of the MEETS admin portal, displays the admin options for setting their account settings on the admin portal (elaborated on below), view their recent logins, change their password and log out.
2) Account settings
The account settings include setting one's preferred theme for the admin portal, configuring their preferred language, and their authentication configuration elaborated upon below.
The authentication configurations offers extra levels of security as follows:
a) Prevent capture-replay attacks with an extra HTTP authentication step:
MEETS Administration is accessed via HTTPS and is normally safe from capture-replay attacks. However if one is in a situation with passive HTTPS interception, which will allow for such attacks, this option will be able to mitigate them. Enabling this option will add an additional step to the login process requiring one to copy and paste a temporary password into an HTTP digest authentication prompt.
Note: If you are concerned about active HTTPS attacks, this option will not suffice. You will need to configure your internet connection and/or your web browser to use a virtual private network (VPN) with Internet Protocol Security (IPsec) or WireGuard, or a secure socket proxy (SOCKS).
Note: Changing this setting will only take effect upon the next log in
b) Require password:
This option forces one to use a password even if other authentication methods are enabled.
c) Require Web Authentication / hardware key (WebAuthn / FIDO2 / U2F):
One can setup a single as well as multiple hardware keys, which can be used interchangeably. It supports Windows Hello and Apple Touch ID. It is recommended to keep at least one backup key in a safe place.
d) Require Time-based One-Time Password (TOTP)
This option enables requiring a one time password from platform authenticators. One can configure the TOTP code via a scannable code, URI or parameters.
e) Amount of authentication factors required:
Multi-factor authentication with two or three factors can be set.
One can configure a number of authentication methods, and set the amount requirement to only one factor, and as such, when logging in one will get a choice of methods to choose from.
f) Recovery Code:
You can create a single-use recovery code, that when used, it will remove all authentication requirements from your account.
Note: If you choose to create a recovery code, keep it in a safe place.
Another method to remove all authentication requirements, is by having an admin on the MEETS platform with permissions to manage other admins, go to the "administrators" tab, and click on the button to remove the authentication requirements from this admin. For more information on this, please the article about managing administrators.
3) Viewing recent logins:
One can view the history of the login times, the authentication factors used to log in (please see above), the IP address, the User Agents, TLS version, TLS Cipher Suite, and see whether the session is active.
One can disable active sessions that another browser or device is using, by clicking on the "Yes, Deactivate button" in the "Session Active" column.