- Created by Jenna Buttershaw, last modified on 24 Apr, 2024
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 21 Current »
MFA is due to be made available within your accessplanit platform end-April 2024.
Follow this page to understand what planning is required, and learn how you will set up your accessplanit platform to have MFA enabled for logins.
What is MFA?
Multi-Factor Authentication (MFA) is quickly becoming a standard in software!
MFA adds an extra layer of protection on top of the standard username and password, the user logging in needs to not only have a valid username and password, they also need to authenticate their login with an additional check that they are who they say they are!
There are a few different ways that this can be done, some common approaches include; sending a one-time code to the user’s phone or their email address, integrating with Mobile App Authenticators such as 'Google Authenticator', or using biometric data such as fingerprint scans.
MFA benefits
Enhanced Security
MFA provides an additional layer of security by requiring users to authenticate through multiple factors, typically something they know (password) and something they have (e.g., a mobile device or security token).
Even if a user's password is compromised, an attacker is still not able to access their account as they would still need the second factor to gain access.Mitigating Password Vulnerabilities
Passwords alone are susceptible to various attacks, such as brute force attacks and phishing.
MFA lowers these risks by requiring a second form of verification.Meeting Compliance Requirements
Many regulatory standards and industry best practices (such as GDPR, HIPAA, and PCI DSS) recommend or even require the use of MFA to ensure that sensitive data is protected.
Follow this page to learn the steps to enable MFA within your accessplanit platform
About MFA in the accessplanit platform
MFA can be enabled in your platform by Super Administrators.
Your accessplanit platform authenticates logins using a one-time passcode, sent to the User’s email address, after they have entered a valid set of login credentials (username/email and password).
This means that the Users need to know both their username & password to login (authentication factor 1), and also prove that they have access to their inbox (authentication factor 2).
Please see this short video, which shows the MFA Login process from the standard login page:
Learner Portal MFA Authentication.mp4If you enable MFA in your accessplanit platform, you can choose which types of Users require MFA on their logins (such as ‘Training Administrators’ only, or ‘Training Administrators and Trainers’), this is based on the roles your Users have.
For these Users MFA will be present on every available login route, including the baskets, and it will appear for them:
Every time they log-in to your platform from a new browser/device
Every 120 days on familiar browsers/devices
The very first time that someone (who requires MFA) logs in after your MFA has been setup, they will first be prompted to set-up MFA on their User account, this involves them confirming their email address. All subsequent logins that require MFA will take them through the standard MFA authentication process, where they will not be able to confirm/change their email address.
Please note
MFA does not work with Single Sign On logins, although most SSO Services have their own MFA options that you can enable.
This flowchart outlines the MFA Process:
MFA within the standard login pages
Please see the below videos, for an view of what MFA Authentication looks like on each login route
The MFA process will appear differently depending on which page you login to, here are some short videos to show you the MFA Authentication process across the major login routes.
🗒️ Plan
The first step of implementing MFA in your accessplanit platform is to plan when you would like to set it up, and who you would like to set it up for.
To plan your implementation of MFA you will follow these steps:
Decide which users you would like to implement MFA for
Decide what you would like your platform to be called within your MFA emails
Decide how you would like logins to work if the MFA Service is ever unavailable
Communicate with your team and customers
Decide which users you would like to implement MFA for
You can decide to push all users that login to authenticate with MFA, or you can decided to set this up for groups of users only.
By default, MFA only applies to Training Administrators.
It is possible however for us here at accessplanit to change this, you may want MFA enabled for everyone, or just Training Administrators and Super Administrators.
Determine which users you would like to login with MFA, you can choose any combination from the following:
Super Administrators
Training Administrators
Trainers with 'My Teaching' access
Customer Managers
Individuals
Speak to a member of the accessplanit team to have this put in place before you switch MFA on
Top tip
If a User has a role that requires MFA, they will be required to use MFA, even if it is not their ‘Main Role’.
For example, if a User is both a Super Administrator (main role) and a Training Administrator, and only Training Administrators are required to login with MFA, this User will be required to use MFA because they have the Training Administrator role assigned to them.
Decide what you would like your platform to be called within your MFA emails
You can change what your platform is referred to within the emails that are sent
To assure your MFA email recipients that the email they have received has come from your accessplanit platform, the name of your platform will be included in the subject and the body of the email. Please see where ‘Training Company’ is included within the below email example:
Determine what you would like your platform to be referred to
Speak to a member of the accessplanit team to have this put in place before you switch MFA on
Decide how you would like logins to work if the MFA Service is ever unavailable
You can decide how your login process will work, should the MFA Service ever be unavailable
There are two options for you to choose from, please review the below options and let a member of the accessplanit team know if you would like Option 2 to be applied to your platform.
Please note that you do not need to tell a member of the team if you would like to keep option 1.
Option 1 (this is the default behaviour)
When someone provides the correct login details and they do not need to authenticate their login, they will be logged into the platform
When someone provides the correct login details and they do need to authenticate their login (i.e. they are on a new device), they will be blocked from logging in while the MFA Service is unavailable, they will be shown a message which instructs them to try their login again in 5 minutes
Option 2
When someone provides the correct login details and they do not need to authenticate their login, they will be logged into the platform
When someone provides the correct login details and they do need to authenticate their login (i.e. they are on a new device), they will be able to bypass the MFA requirements while the MFA Service is unavailable, they will be logged directly into the platform, they will be required to use MFA the next time they login
Communicate with your team
Ahead of MFA being enabled, notify the users that will be affected.
We recommend letting your team know that MFA will be turned on, so that it is not a surprise to them when they have additional steps to complete for their login.
If you would like to use your accessplanit platform to let your team know, please follow these steps:
Open the ‘Users' DataGrid from your main navigation menu on the left
Find the Users that will have MFA turned on by applying filters and/or searching the Users DataGrid
Select the Users that you would like to contact
Click the mass actions drop-down button besides the select-all checkbox at the top left of your DataGrid, and click the ‘Email’ option
From the Email Details pop-up, change the Creation Type to ‘AdHoc’
Define your email’s Subject and Body
Click the ‘Send’ button to send your email to your selected Users
Enable MFA
This step will take you through enabling MFA in your accessplanit platform
Top tip!
You may want to enable MFA within your Sandbox environment first, to get familiar with the changes to the login process before you implement it onto your live platform.
If you do set up MFA on your Sandbox first, please let us know before you enable MFA on your live environment so that we can reset your authentications to work within your Live environment.
Enabling MFA is only accessible to Super Administrators
Once you have completed the above steps, you will be ready to enable MFA in your platform
Open the ‘Administration’ menu from the Profile options at the top-right of your platform
Open the ‘Security Options’ menu option to access the page where you can enable MFA
Scroll down to the ‘MFA’ section on the Security Options page
Check the 'MFA Enabled' checkbox
Click ‘Save’ at the top of your page to save your changes
While you remain logged in to the platform, ask a different member of your team (they should meet your MFA Requirements) to logout
Ask that team member to log back in, and ensure that they are able to successfully use the MFA pages to set up MFA on their account and log back into your platform
FAQs
Why is accessplanit’s MFA not available for my Users that login with SSO?
When a User logs in with Single Sign On (SSO) they bypass the accessplanit login process, and login using their SSO Service instead of entering their accessplanit username and password. As accessplanit’s MFA functionality requires users to first enter a correct username and password, it is not possible to kick-off MFA for users that login via SSO. However most SSO services also offer an MFA option, so please get in touch with your infrastructure/IT team to investigate this.
Why are users able to change their email address the first time they login with MFA?
As the MFA requires email, it is important that your users can supply an email address if they do not yet have one, or correct any mistakes/typos in their email address if they do already have an email address stored.
What will happen if I enter too many incorrect codes when I try to login?
After 5 incorrect codes your User account will be locked, this behaves the same as a locked account from entering in too many incorrect passwords.
How long are the codes valid for?
Each code that is emailed is valid for 15 minutes from the time of the request.
Can I request a new code if my email has not come through, or I took over 15 minutes?
Yes - each User can have up to 3 codes within a 24 hour period.
We have turned off all emails from our platform, will the MFA emails still send when people are trying to log in?
Yes - the MFA emails are managed separately to your standard platform emails so they will still send even when emails are turned off, this includes on test/sandbox environments
Can I change the styling of the one-time-passcode email?
There are no styling options available for the email, however it has been designed to be as light-weight and user-friendly as possible to quickly support your Users with logging into the platform quickly.
Can I decide which Users need to log-in with MFA and which do not?
Yes - MFA can be set up to only apply to users based on their role within the platform, for example you can set up MFA to only kick-in for Training Administrators and Super Administrators. Please see the “Decide which users you would like to implement MFA for” section above for more information on this.
Why did accessplanit choose to use email as the additional authentication method?
We chose email as the additional authentication method, primarily to make the MFA functionality to be as accessible as possible!
Email has the most widespread availability as most people have an email account, this makes email MFA accessible to a large audience without requiring any additional downloads or installations, which authenticator apps require. Email is also a very familiar format, which makes it an intuitive (and not very daunting!) option for users who are not confident downloading and using new applications.
Compared to SMS, emails do not depend on cellular networks - which means that it more reliable in areas with poor network coverage. MFA through email also does not have the vulnerability of SIM Swapping attacks, this is where attackers fraudulently take control of a victim's phone number.
Finally, with MFA through email, we can take advantage of the additional security features that many email providers offer; such as email encryption, spam filters, and suspicious activity alerts, which enhances the overall security of the authentication process.
Can I change the length of time for Users to reauthenticate?
Not at this time, Users will be asked to re-authenticate every 120 days or every time they use a new device.
Are there plans to implement any alternatives to email, such as an authenticator app?
Not at this time, please let your Customer Success Manager know if this would be a useful addition for you
- No labels