Multi-Factor Authentication

Multi-Factor Authentication (MFA), also known as Two-Factor Authentication (2FA), is an authentication method that grants users access to the platform only after successfully verifying two independent authentication factors. This enhances security by adding an extra layer of protection against unauthorized access.

MFA typically involves:

  • Knowledge Factor (Something the user knows): Password (Login Credentials)

  • Possession Factor (Something the user has): Security Token (Generated via a third-party authenticator app such as Authy or Google Authenticator)

Implementing MFA significantly reduces the risk of unauthorized access, ensuring better security for user accounts and platform data.

Third-Party Authenticator Apps

Users can enable MFA using third-party authenticator applications like Authy or Google Authenticator. These apps generate a randomly refreshed security code required for authentication.

Note: MFA is available for configuration on every tenant by default.

Prerequisites

MFA is applicable only if user authentication is based on a password. It is not applicable to users authenticated through other methods such as SAML, Kerberos, or LDAP.

If a user has both security questions and MFA enabled, MFA takes precedence over security question verification.

First-Time Configuration

Once MFA is enabled for a user, the next login will prompt the user to configure it by scanning a QR code or manually entering a Client Secret Key in an authenticator app.

To setup MFA for the first time:

  1. Scan the QR Code displayed on the login screen using an authenticator app (e.g., Authy or Google Authenticator).

  2. Alternatively, manually enter the Client Secret Key into the authenticator app.

  3. The authenticator app will generate a security token (one-time password).

  4. Enter this security token in the Verification Code field on the login screen.

  5. After successful verification, MFA setup is complete.

Login Verification

Once MFA is configured, users must verify their identity every time they log in by entering the security token generated from their registered authenticator app.

To Log In Platform with MFA:

  1. Enter your Username and Password.

  2. On the MFA verification screen, enter the security token generated by your authenticator app.

  3. Click Submit to complete the login process.

Configuring Multi-Factor Authentication

The Master Administrator can globally manage MFA settings by modifying the userMFA properties under security levels.

To configure MFA, do the following:

  1. Navigate to Control PanelConfigurationSecurity Level.

    Security Levels

  2. Locate the userMFA property.

  3. Set userMFA to:

    • true to enable MFA

    • false to disable MFA

  4. Click Save to apply the changes.

Note: The High and Very High security levels have userMFA enabled by default. However, this setting can be manually switched off from the Authentication Profile or Security Level, if required.

Enabling Multi-Factor Authentication

Administrators can enable MFA for specific authentication profiles.

To enable MFA for any user:

  1. Navigate to Setup HomeAdministration SetupAuthentication.

  2. Select the Authentication Profiles section.

    Note: MFA applies only to Password Authentication Profiles.

    Authentication profiles enabled with MFA

  3. From the Security Level dropdown, choose:

    • Low

    • Medium

    • High

    • Very High

    These levels are predefined in the Control Panel and determine whether MFA is enabled by default.

  4. Users can override this setting by manually enabling or disabling MFA using the MFA checkbox.

    MFA checkbox

  5. Click Save to enable MFA.

  6. If you disable MFA, a warning message may appear, highlighting potential security risks.

    Disable MFA Warning

Resetting Multi-Factor Authentication

Users can reset their MFA settings if they lose access to their authenticator app.

MFA reset can be done by any of the following methods:

  1. Self-Service Reset: Users can reset their MFA via the Change My Password page. See Reset MFA from Change My Password for more information.

  2. Administrator Reset: MASTER or TENANT administrators can reset MFA for users from the User Record List View.

To reset MFA for any user, the administrator can do the following:

  1. Navigate to the User Record List View.

  2. Select the desired user(s).

  3. From the Group Actions menu, select Reset MFA.

  4. Confirm the Reset action.

  5. The user(s) will receive an email notification with instructions to reset MFA.

Note: Every password user within a tenant would receive an email notification upon an MFA reset. This email template, named resetMFANotification, is available under the User Object and can be customized if needed.