Contents
Configuring multi-factor authentication (MFA)
Updated by Bhavik
Multi-factor authentication (MFA) is a security feature that requires users to provide two or more forms of identification before they can access their account. This additional layer of security helps protect user accounts from unauthorised access by requiring something the user knows (such as a password) and something the user has (such as a mobile device or security key).
The adoption of MFA is common in software applications and is encouraged as best practice by cyber security experts. The UK Government treats it as a standard software tool in its Cyber Essentials Scheme.
To learn more about MFA, see this explainer.
Turning on multi-factor authentication
You can turn on MFA for all users in your organisation easily in one step, this can only be done by Customer administrators.
- Head to Apps in the menu, click on System Settings, then Organisations.
- Click Edit on the right hand side of your organisation.
- Navigate to the Authentication tab. Turn on Requires MFA. Then click Update organisation.
Multi-factor authentication will now be turned on for all users in your organisation.
Choosing authentication methods
Authenticator app
Advanced Single Sign-on supports MFA through authenticator apps such as Google Authenticator or Microsoft Authenticator. This is the default authentication method.
Authenticator apps are more secure because the person accessing the account has to be in physical possession of the mobile device, as well as knowing the password to the account. We strongly recommend using authenticator apps in the first instance.
There is also an option to allow users to choose to use email as an alternative to an authenticator app for MFA. If a user chooses email as their MFA method, a verification code is sent to the email address on the user's account. This option may be preferable for users that don't have access to mobile devices.
If you decide to allow your users to use email for MFA, you should ensure that they are using a different password for their email and Advanced account, and that they use MFA when accessing their email account.
Customer administrators can easily enable the Email MFA method for all users in their organisation in just one step by selecting the 'Email MFA default' option. Once enabled, the Email MFA method will automatically be selected as MFA method for any newly created user accounts.
Even if the 'Email MFA default' option is not selected at the organisation level, User Admins and Customer Admins can still enable the Email MFA method for specific individual profiles by selecting the 'Allow email MFA' option under the MFA method.
Security questions
If users opt to use email MFA, they will be required to answer a security question. They will need to provide the same answer in order to reset their password. This is to ensure their account stays secure, as it protects their account in the event their email account is compromised.
You can see the different login journeys for users based on the organisation settings in these articles:
Bulk Edit
Enable or disable email MFA for multiple users can be done using the bulk edit feature. Simply select the users and set the 'Allow email MFA' option.
Remember MFA
The Remember MFA setting improves the user experience for your users by reducing the frequency of MFA requests.
When this setting is enabled, users in your organisation will see a checkbox during the login process labelled Remember this device. If a user selects this option, for the next 30 days they can log in from the same device and browser and not be prompted for MFA again.
Inactivity period - It's important to note that if a user has a period of inactivity lasting 7 days or more within the 30-day window, the Remember this device status will be reset and they will be asked for MFA when they next login.
No more unnecessarily interrupting your workflow by entering MFA codes every time you log in. You can focus on what truly matters without interruptions. Plus, this feature ensures that your accounts are still adequately protected against unauthorised access, even after the initial MFA login.
We understand how important it is to strike a balance between security and ease of use. With Remember MFA, we're giving you the best of both.
Reset MFA
You may occasionally need to reset MFA settings for a user, for example if they were using an authenticator app and have lost their phone.
Both Customer and User administrators can reset MFA settings for users.
You can do this by going to the user details, then click Reset MFA settings. This will remove the current authentication configuration that the user has set up.
The next time the user attempts to login, they will need to go through the setup process for MFA again. When a user's MFA settings have been reset, if they attempt to enter the verification code from their old configuration, the code will be rejected. They will need to scan the QR code or manually set up MFA on the authenticator which will then provide them with a valid verification code.
In some cases you may need to reset MFA settings for a number of users. You can do this in one process by using the bulk import functionality.