Implement multi-factor authentication (MFA) into your platform

Owned by Jenna Buttershaw
Last updated: 27 Apr, 2024
10 min read

Steps to implement MFA:

 

 

MFA is due to be made available within your accessplanit platform end-April 2024.

Follow this page to understand what planning is required, and learn how you will set up your accessplanit platform to have MFA enabled for logins.

What is MFA?

Multi-Factor Authentication (MFA) is quickly becoming a standard in software!

MFA adds an extra layer of protection on top of the standard username and password, the user logging in needs to not only have a valid username and password, they also need to authenticate their login with an additional check that they are who they say they are!
There are a few different ways that this can be done, some common approaches include; sending a one-time code to the user’s phone or their email address, integrating with Mobile App Authenticators such as 'Google Authenticator', or using biometric data such as fingerprint scans.

MFA benefits

  • Enhanced Security
    MFA provides an additional layer of security by requiring users to authenticate through multiple factors, typically something they know (password) and something they have (e.g., a mobile device or security token).
    Even if a user's password is compromised, an attacker is still not able to access their account as they would still need the second factor to gain access.

  • Mitigating Password Vulnerabilities
    Passwords alone are susceptible to various attacks, such as brute force attacks and phishing.
    MFA lowers these risks by requiring a second form of verification.

  • Meeting Compliance Requirements
    Many regulatory standards and industry best practices (such as GDPR, HIPAA, and PCI DSS) recommend or even require the use of MFA to ensure that sensitive data is protected.

example MFA code email

Follow this page to learn the steps to enable MFA within your accessplanit platform

About MFA in the accessplanit platform

MFA can be enabled in your platform by Super Administrators.

Your accessplanit platform authenticates logins using a one-time passcode, sent to the User’s email address, after they have entered a valid set of login credentials (username/email and password).

This means that the Users need to know both their username & password to login (authentication factor 1), and also prove that they have access to their inbox (authentication factor 2).

Please see this short video, which shows the MFA Login process from the standard login page:

 

Learner Portal MFA Authentication.mp4

If you enable MFA in your accessplanit platform, you can choose which types of Users require MFA on their logins (such as ‘Training Administrators’ only, or ‘Training Administrators and Trainers’), this is based on the roles your Users have.
For these Users MFA will be present on every available login route, including the baskets, and it will appear for them:

  • Every time they log-in to your platform from a new browser/device

  • Every 120 days on familiar browsers/devices

The very first time that someone (who requires MFA) logs in after your MFA has been setup, they will first be prompted to set-up MFA on their User account, this involves them confirming their email address. All subsequent logins that require MFA will take them through the standard MFA authentication process, where they will not be able to confirm/change their email address.

Please note

MFA does not work with Single Sign On logins, although most SSO Services have their own MFA options that you can enable.

 

This flowchart outlines the MFA Process:

MFA within the standard login pages

Please see the below videos, for an view of what MFA Authentication looks like on each login route

The MFA process will appear differently depending on which page you login to, here are some short videos to show you the MFA Authentication process across the major login routes.

 

 

 

 

 

 

 

Plan

To plan your implementation of MFA you will follow these steps:

  1. Decide which users you would like to implement MFA for

  2. Decide what you would like your platform to be called within your MFA emails

  3. Decide how you would like logins to work if the MFA Service is ever unavailable

  4. Communicate with your team and customers

Decide which users you would like to implement MFA for

You can decide to push all users that login to authenticate with MFA, or you can decided to set this up for groups of users only.

 

  1. Determine which users you would like to login with MFA, you can choose any combination from the following:

    1. Super Administrators

    2. Training Administrators

    3. Trainers with 'My Teaching' access

    4. Customer Managers

    5. Individuals

  2. Speak to a member of the accessplanit team to have this put in place before you switch MFA on

 

 

Decide what you would like your platform to be called within your MFA emails

You can change what your platform is referred to within the emails that are sent

Decide how you would like logins to work if the MFA Service is ever unavailable

You can decide how your login process will work, should the MFA Service ever be unavailable

Communicate with your team

Ahead of MFA being enabled, notify the users that will be affected.

Enable MFA

 

 

 

FAQs

Why is accessplanit’s MFA not available for my Users that login with SSO?

When a User logs in with Single Sign On (SSO) they bypass the accessplanit login process, and login using their SSO Service instead of entering their accessplanit username and password. As accessplanit’s MFA functionality requires users to first enter a correct username and password, it is not possible to kick-off MFA for users that login via SSO. However most SSO services also offer an MFA option, so please get in touch with your infrastructure/IT team to investigate this.

 

Why are users able to change their email address the first time they login with MFA?

As the MFA requires email, it is important that your users can supply an email address if they do not yet have one, or correct any mistakes/typos in their email address if they do already have an email address stored.

 

What will happen if I enter too many incorrect codes when I try to login?

After 5 incorrect codes your User account will be locked, this behaves the same as a locked account from entering in too many incorrect passwords.

 

How long are the codes valid for?

Each code that is emailed is valid for 15 minutes from the time of the request.

 

Can I request a new code if my email has not come through, or I took over 15 minutes?

Yes - each User can have up to 3 codes within a 24 hour period.

 

We have turned off all emails from our platform, will the MFA emails still send when people are trying to log in?

Yes - the MFA emails are managed separately to your standard platform emails so they will still send even when emails are turned off, this includes on test/sandbox environments

 

Can I change the styling of the one-time-passcode email?

There are no styling options available for the email, however it has been designed to be as light-weight and user-friendly as possible to quickly support your Users with logging into the platform quickly.

 

Can I decide which Users need to log-in with MFA and which do not?

Yes - MFA can be set up to only apply to users based on their role within the platform, for example you can set up MFA to only kick-in for Training Administrators and Super Administrators. Please see the “Decide which users you would like to implement MFA for” section above for more information on this.

 

Why did accessplanit choose to use email as the additional authentication method?

We chose email as the additional authentication method, primarily to make the MFA functionality to be as accessible as possible!

Email has the most widespread availability as most people have an email account, this makes email MFA accessible to a large audience without requiring any additional downloads or installations, which authenticator apps require. Email is also a very familiar format, which makes it an intuitive (and not very daunting!) option for users who are not confident downloading and using new applications.

Compared to SMS, emails do not depend on cellular networks - which means that it more reliable in areas with poor network coverage. MFA through email also does not have the vulnerability of SIM Swapping attacks, this is where attackers fraudulently take control of a victim's phone number.

Finally, with MFA through email, we can take advantage of the additional security features that many email providers offer; such as email encryption, spam filters, and suspicious activity alerts, which enhances the overall security of the authentication process.

Can I change the length of time for Users to reauthenticate?

Not at this time, Users will be asked to re-authenticate every 120 days or every time they use a new device.

 

Are there plans to implement any alternatives to email, such as an authenticator app?

Not at this time, please let your Customer Success Manager know if this would be a useful addition for you