Using Two-Factor Authentication
The use of, and often non-negotiable requirement for, two-factor authentication methods has become a staple of modern IT environments, and your printing system should by no means be an exception. Large amounts of often sensitive data pass through these networks on a daily basis, and robust security is vital.
MyQ has a variety of two-factor authentication options, whether authenticating at a physical terminal, in a mobile app, or via our Desktop Client. Authentication methods include physical ID cards, passwords, PINs, QR codes and authenticator apps, allowing you to keep your data safe in a manner that suits your organization.
Two-Factor on Embedded Terminals
Standard Login Methods
Authentication on the Embedded Terminals is configured in Settings → Printers & Terminals → Configuration Profiles, in the respective configuration profile, on the Terminal tab.
In the Login methods settings, the following Two-factor authentication options are available:
ID Card and PIN: in this method, the user first presents their ID Card to the reader, and when successfully authenticated, they are asked to confirm login by typing their PIN code.
ID Card and password: Similarly to the previous option, after an ID Card is read on the device, the user must type in their password to successfully authenticate.
Using these methods, the user provides two factors, thus allowing for secure identification. PIN codes can be issued as temporary to protect further against their misuse.
Authentication with Mobile Client
In Settings → Printers & Terminals, the use of a QR Code can be enabled as well as set to be the default login method on the Embedded Terminal (in such a case, it is displayed first on the screen instead of the methods configured in the configuration profile).
Users need the MyQ X Mobile Client installed on their smartphone to use a QR Code for authentication. In the application, the user signs in with their MyQ account.
The credentials used depend on how they authenticate towards MyQ. The options are:
MyQ-managed credentials (PIN created/synchronized or password created internally).
An authentication Server such as Active Directory, OpenLDAP, Novell, etc. If users were assigned an authentication server when they were created or synchronized, MyQ authenticates them against the remote identity provider over LDAP.
If the user is authenticated against an authentication server, these credentials are not synchronized or ever stored in MyQ.
With the user account signed in, users can select Log In in the mobile application which prompts them to read a QR Code displayed on the Embedded Terminal which unlocks the printer panel.
Biometric Lock
Biometric methods such as Face ID on iPhones or fingerprint readers on Android phones can be used to secure access to the mobile application. Authentication will be required when opening the app, preventing unauthorized access if the device is accessed by someone other than the MyQ user.
In this scenario, the user uses biometric recognition together with a physical device with their MyQ account logged in, effectively increasing the level of security during authentication.
Example: Secure Authentication with Mobile Client
John enabled Two-factor authentication in his organization’s printer configuration profiles, set to ID Card and PIN. On top of that, he set QR Code login to be the default login method on the Embedded Terminal.
The majority of users in John’s organization by default do not require any PIN codes or passwords. MyQ X Mobile Client is their primary way of authenticating on devices.
As John’s organization uses Microsoft 365 services and is managed by Entra ID, each user has logged in to the mobile app with their Microsoft account, and during this process, they were also verified through Microsoft Authentication by typing a security code.
The mobile application now acts as their “key” to authenticate on Embedded Terminals by reading the presented QR Code, and in order to do so, they are further verified each time they open the Mobile Client with facial recognition or their fingerprint.
Two-Factor in MyQ Desktop Client
Organizations using Microsoft 365 services can largely benefit from enabling the Sign in with Microsoft login method in the Desktop Client. Users using an Entra ID authentication server in MyQ and with two-factor authentication enabled for their Entra ID account will be prompted to verify their identity in the client with their authenticator application.
In Settings > MyQ Desktop Client, open the configuration profile for which you want to configure authentication methods; you can do this for all profiles or only those that apply to computers where you require this type of authentication.
In Login methods, select Sign in with MyQ, and save the profile.
The next time users in your organization are prompted to sign in with the Desktop Client, for example when printing, they will be presented with a MyQ login screen from which they can continue with the Microsoft sign-in.