Multi-Factor Authentication (also termed as Two-Factor authentication or 2FA) is an authentication method in which a user is granted access to the Platform instance only after successfully demonstrating two pieces of evidence (or factors).
Knowledge (Known to the user) - Password (Login Credentials)
Possession (Possessed by the user) - Security Token (generated from any third-party authenticator app)
This mechanism provides an extra security layer by protecting the user from an unknown person breaching-in to gain access of the Platform instance.
A third-party authenticator mobile application like Authy or Google Authenticator enables two-factor authentication, usually by showing a randomly-generated and constantly refreshing code to use for authentication.
This authentication mechanism is only applicable if existing user profiles are authenticated via Password and not applicable to users if tied to any other authentication profiles like SAML, Kerberos, LDAP.
If any user profile has both the security questions and multi-factor authentication enabled, the Multi-Factor Authentication verification shall take the precedence.
First Time Configuration
Once Multi-Factor Authentication is enabled for any user, on it's subsequent login, the user is displayed with a QR code which has to be scanned for a first time configuration.
The user can scan the QR code or type the Client Secret key in any third-party authenticator app (Authy/Google Authenticator) installed on the user's smartphone to initiate the configuration.
A security token (as seen in the image above) is generated which needs to be entered in the Verification Code field of the login screen to complete the login into Platform.
This should complete the user's first time configuration for the Multi-Factor Authentication.
Once Multi-Factor Authentication is succesfully configured, anytime the user logs into Platform using the User Name and Password, the MFA verification screen is displayed as seen below.
Enter and submit the security token generated from the registered third-party authenticator application to complete the login.
A user can reset it's account's MFA from the Change My Password page. See Reset MFA from Change My Password for more information. A MASTER or TENANT administrator can also reset any user's MFA from the User(s) Record List view page.
To reset MFA for user(s), the MASTER or TENANT administrator can select the desired user(s) from the User Record List view page.
From the Group Actions menu, select Reset MFA.
A confirmation is requested on attempting to reset the user MFA. Once confirmed, an email notification with instructions to reset the MFA is sent to the selected user(s).