Smartstaff
2,460
edits
Changes
m
* __TOC__=Overview='''Multi-Factor Authentication (MFA)''' is a method of authentication in which a user is granted access to your SmartSimple Cloud system only after successfully presenting two or more pieces of evidence to an authentication mechanism.
Most websites that a user can log into require a username and password '''<u>NOTE:</u>''' If you select the '''Everyone''' option, both "known" by the individual in order you do not need to log in. In short, update this means that anyone who knows the correct username and password combination for a unique account can log into that account; thus, there is very little that can be done to identify that the individual logging is is actually the individual who owns the accountsetting when new roles are created.
The '''Two-Factor Authentication '''function provides a second factor - this can be something that someone has (for example, an access card) or some unique property of that person (for example, a fingerprint, or a code sent to a personal mobile device).
The security impact of the '''Two-Factor Authentication '''is that while a user may lose an access card or get duped into sharing a password, the odds of both happening to a single user are dramatically reduced. Using '''Two-Factor Authentication '''therefore enhances an organization's ability to ensure that no one is using illegitimate means to gain access.
'''Two-Factor Authentication '''is a required component of maintaining [[SmartSimpleFile:Authentication Options.png|thumb|none|800px|Authentication options for time-based one-time passwords (TOTP) and verification codes via email or SMS]]'s SOC2 security status. SmartSimple supports two different '''Two-Factor Authentication '''approaches:
* '''TOTP '''([https://en.wikipedia.org/wiki/==Time-based_One-time_Password_algorithm Time-based Based One-Time Password](TOTP) Implementation==A time- this technique uses based one-time password can be generated using an authentication app that is installed on device (such as a mobile phone * '''RSA Disconnected Token '''- this technique requires a physical device used phone) in order to allow for an additional security step to generate a one-time code authenticate logins.
* ===Logging in the First Time with TOTP===In order to use TOTP effectively, users must first download an authenticator application onto their mobile devices. Popular authentication apps include [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_CA&gl=US&pli=1 Google Authenticator], [Global User Administrator|System Administrator]] access https://www.microsoft.com/en-us/security/mobile-authenticator- your [[User|user]app Microsoft Authenticator] , or [[User Role|rolehttps://play.google.com/store/apps/details?id=com.twofasapp 2FAS]] in your [[SmartSimple]] [[instance]] must be '''System Administrator.'''* Access to a mobile device and When logging into the system for the appropriate Google Authenticator application installed first time after TOTP has been activated on the device - the app can be retrieved from Google Play, App Storeuser's role, etc by searching for "Google Authenticator" in the application store. user must first follow these steps:
==Configuring a Role to Use Two-Factor Authentication=='''Two-Factor Authentication '''is configured by :# If user has TOTP enabled on their account, they will be presented with the following screen the next time they log in: <br /> [[User RoleFile:MFASetupTOTP.png|thumb|none|800px|TOTP setup page with instructions]]:# Follow the instructions listed on the screen. For best practiceStart by installing an authenticator app on your mobile device. :# On your mobile device, it is recommended open the authenticator app and select the option to specifically create '''Two-Factor Authentication '''as add a new role and add it to the existing usersdevice or scan a QR code. While '''Two-Factor Authentication '''can be added to an existing role, it is not recommended because it Each app will become more complex to managehave different actions. <br />For roles that have this feature enabled[[File:ScanQR.jpg|thumb|none|800px| Interface for Google Authenticator]]:# The app may prompt you for a QR code or a secret key. Back on your SmartSimple MFA setup page, click the use of button labeled '''Two-Factor Authentication Show TOTP Key and QR Code'''becomes mandatory. This involves will reveal the QR and secret key used with an authentication app. <br /> [[File:QRandSecretCodeScreen.png|thumb|none|800px|<strong>TOTP QR Code</strong> and <strong>TOTP Secret Key</strong> revealed]]:# Use the mobile app to scan the QR code or manually enter the secret key into the app. Once complete, a drastic change in user experience, so SmartSimple recommends that this action new device will be rolled out added to users your list in small groups at the beginning of app. :# The mobile app will generate a time-based verification code. Enter this code into the field labelled '''Enter Verification Code''' on the processsetup page. :# Click '''Submit. '''
The first step of ===If the implementation process Mobile Device Associated with TOTP is Misplaced===<pre>NOTE: If a mobile device associated with TOTP is misplaced, the TOTP must be reset by a Global Administrator or by a user in a role with the permission to create this role reset the TOTP for other user roles.</pre>In the case of a user's device being misplaced, the following steps will allow an internal user in your [[SmartSimple]] [[instance]]. the roles listed above to reset a user's TOTP:
Follow :# Navigate to the steps below in order user's profile who wishes to configure a have TOTP credentials reset.:# From the '''Actions''' dropdown, select '''Edit Roles and Access'''.:# In the following modal window, select the button labeled '''Reset TOTP'''. <br /> [[User RoleFile:ResetButton.png|user rolethumb|none|800px]] to :# The user may now login as normal, following the prompts on the subsequent '''TwoSet Up Multi-Factor Authentication: '''screen.
1===Determining Which Roles Can Reset TOTP===:# In your SmartSimple instance (logged in as a '''Global Administrator''') in the '''Main Menu''', select '''Global Settings'''.<br /> [[File:GlobalSettings5. Click png|thumb|none|800px| The <strong>Global Settings</strong> link under the main menu]]:# Navigate to the '''Users''' tab and click '''Roles'''.:# '''Edit''' the role that you would like to grant the ability to reset TOTP on behalf of other users. For security best practice, this role should be an internal role only.:# Select the '''Permissions''' tab.:# In the field '''Roles this role can reset TOTP for''', select the 9-square menu icon other roles that this role can reset TOTP on behalf of.<br />'''Note:''' In addition to the top right selected roles, you must also have permissions to activate users ('''Roles this role can activate''' setting) as this is a part of your pagethe activation process.<br /> [[File:RolesTOTPReset.png|thumb|none|800px]]:# Click '''Save'''.
:: {{Icon==Single-Menu}} Use Verification Code Implementation==2A single-use verification code is a uniquely generated number that is sent to the user via an email or SMS text. Under Since verification codes typically expire within a few minutes, each time the heading '''Configurationuser logs into the system, '''select '''Roles and Securitythey will be prompted for their single-use code.'''
4# Go to '''Menu Icon''' > '''Global Settings''' > '''Security''' tab > '''Password and Activation Policies''' and then scroll down to the section marked '''Authentication Options'''. Click # Toggle on the '''+ icon Enable Multi-Factor Authentication'''on . You will see additional settings displayed for different authentication methods. # Under the top left in order to '''Create Roles with Verification Code via SMS or Email''' setting, you will need to decide which roles need to be authenticated via a New Roleverification code sent through the email address used for login. Click the '''Save'''button at the bottom of the page to activate changes.<br /> [[File:2022-11-ticket-139210-3.png|thumb|none|800px| Adding a specific role for SMS or email verification]]
:: [[File:2factor create new ===Logging in with a Verification Code from Email===When a user has been assigned a role.png|500px|border]] 4. The '''New Role '''page will be displayed.that requires a verification code, they can login using the following steps:
Fill out ===Setting up Verification Codes for SMS===SMS (text messaging) is paid service that must be enabled for you by SmartSimple. Contact Support or your account representative for more details. SmartSimple will enable SMS services by going to '''Menu Icon''' > '''Global Settings''' > '''Communications''' tab > Toggle on '''Enable SMS Notification'''. Ensure that the following detailstarget users have an active mobile number filled into this standard field. If the phone number field is empty, users will not be able to receive any SMS messages for login.[[File: 2022-11-ticket-139210-8.png|thumb|none|800px]]
* ===Bring Your Own SMS Provider License===Clients have the option to set up their own Vonage account to send SMS messages from their system. For more information, visit the Vonage website to [https://www.vonage.com/communications-apis/sms/ read about their SMS API]. Once your account is set up, navigate to '''Global Settings'Name: ''> '2 Factor Authentication (for clarification of the role purpose) * ''Integrations'Caption: ''tab > '2 Factor Authentication (as the caption is typically the same or similar to the ''Integration Key Management'Name''> Create an integration key with the ') * ''Type'Description: ''set to "Vonage." You'TOTP (for clarification of the role purpose) ll need to enter your Vonage API Key, API Secret, and a North American or International virtual number.
5. In the '''Two Factor Authentication Note'''field, click into it and select : SmartSimple representatives will still need to enable the option '''Time-based One-time Password (TOTP)SMS feature in your system.'''
* ===Logging in with a Verification Codes for SMS===# When the user logs in, they will be presented with the option to receive a verification code via email or through SMS. The user can click '''NoteSend Code by Text Message'''. <br /> [[File: If you select 2022-11-ticket-139210-6.png|thumb|none|800px| Users have the '''None '''optionof receiving the code via email or through SMS]]# The user can check their mobile messages, enter the code into the field, this means that and then click '''tSubmit'''here will be no twoto finish authentication and log in to the system. <br /> [[File:2022-11-ticket-139210-factor authentication enabled for this user role7. When someone with this png|thumb|none|800px| Once the verification code has been sent, the user role tries will be prompted to enter the system, they are able to successfully log in by inputting just their correct username and password combo.code into the verification field]]
6==Bypassing Multi-Factor Authentication for Single Sign-On==If multi-factor authentication has been enabled, it can be bypassed for users logging in via single sign-on (SSO). Click the To bypass MFA, go to '''Save Global Settings'''button at > '''Integrations''' tab > '''Single Sign-On''' > Edit an SSO setting > Toggle on '''Bypass Multi-Factor Authentication (MFA) when logging in with Single Sign-On (SSO)'''.[[File:SSO-Bypass-MFA.png|thumb|none|800px| Multi-factor authentication can be bypassed in the bottom of the page.single sign-on settings]]
The page will refresh with ==Setting up a Default Email Address==If you are using SMTP relay and/or have a dedicated instance (your own domain), make sure you have set up the role saved into default email address and that the systemdefault email address matches your domain.Otherwise your default email address should be set to '''donotreply@smartsimplemailer.com''' (US) or '''donotreply@smartsimplemailer.eu''' (Europe) or '''donotreply@smartsimplemailer.ca''' (Canada). Follow these steps to set up a default email address:
To check that # Go to '''Menu''' icon > '''Global Settings''' > '''Communications''' tab# Click '''Email Options and Security'''# Toggle on '''Enable Default From Address'''# Enter your role has been successfully added: desired '''From Address'''# Click '''Save'''
1. Click the '''list icon '''in the top left row of buttons on the '''2 Factor Authentication '''Role page.
:: [[File:Return to user rolesdefault-email.png|90pxthumb|none|border800px|Set up a default email address to help ensure that verification emails do not get blocked by the SMTP relay]]
2. This will bring you to the [[List View Overview=Settings Explained={|list]] of all user roles in the system once more. You should now see the class="wikitable"|-||'''2 Factor Authentication Setting'''role listed.
:: [[File:2factor role.png|600px|border]]'''Description'''
This will bring you to the |-||'''Edit Enable Multi-Factor Authentication'''details for that role.
5. Under the '''General '''tab, scroll down until you see the '''Two-Factor Authentication '''field||Enables MFA for the entire instance but does not have any impact unless user roles are specified.
When the user receives the new password then they navigate to the activation screen.|-||'''Roles with Verification Code via SMS or Email'''
If this is | style="border-color: #;"|Associates one or more roles with authentication proved through either email or an SMS message. The user can choose at the first point of verification to receive an email containing the one-time code or an SMS message containing the user has had a one-time code generated then the screen should include a '''QR Code''' that can . SMS must be scanned using Google Authenticatorenabled by SmartSimple and will incur an additional cost. The actual authentication code is also provided in case there are issues with the use of Google AuthenticatorPlease speak to Support or your account manager for more information.
[[Image:EnableTwoFactor 3.png|800px-|border]]|'''Enable Trusted Device'''
If the user has an existing QA Code then the user can click a button ||This option is used to generate a new code and re-sync or can proceed to the login pagebypass MFA authentication for specific roles on specific devices.
Users will then be prompted to enter the one|-time code after entering their user name and password. <br />[[Image:EnableTwoFactor3.png|800px|border]]'''Trusted Device Expiry'''
==Notes==||* Sets the frequency of the MFA prompt, based on the number of days specified. If both [[Single Sign-On]] and Two-Factor Authentication are in usethe number is set to one, there is a Single Sign-On setting option that the user will control whether or not Two-Factor Authentication be prompted every day for an MFA verification code. If its set to five, then the user will be required when a user authenticates via SSOprompted every five days.
==See Also==* [[User Role]]s|}
→Bring Your Own SMS Provider License
The security impact of MFA is that while a user might lose their authentication device or get tricked into sharing a password, the odds of both happening to a single user are dramatically reduced. Using MFA therefore enhances an organization's security by requiring users to identify themselves with more than their login credentials. SmartSimple Cloud supports two ways of implementing MFA: * '''Time-based One-Time Password (TOTP) '''via an authenticator app, which is more secure and suitable for users with increased access such as global administrators or internal staff* '''Single Use Verification Code '''sent via email or SMS, which is better suited for external users or users who login infrequently '''Note:''' MFA and password reset emails are sent from non-production environments as of the March 2023 upgrade. If you wish to add role restrictions for access to your backup environment, the setting is located at '''Menu''' icon > '''Global Settings''' > '''Security '''tab > '''System Feature Permissions''' > '''Feature''' tab > '''Restrict Login to Backup Environment to these Roles'''. When testing MFA and password reset emails on non-production environments, always use a test user and test email. =OverviewConfiguration=When using To toggle on multi-factor authentication, follow these steps: :# Navigate to '''Global Settings''' > '''Security''' > '''Password and Activation Policies''':# Scroll to''' Authentication Options''' and toggle on '''TwoEnable Multi-Factor Authentication, '''each new user can use :# Specify the Google Authenticator app to obtain one-time passwords which are calculated from time roles that require authentication via TOTP and/or event-based algorithmsVerification Code. If the same role is added to both methods, only TOTP will be used.
===Setting up TOTP Multi-Factor Authentication for Specific Roles===:# In your SmartSimple instance (logged in as Global Admin), go to''' Menu Icon''' > '''Global Settings'''.<prebr />This article deals specifically with the TOTP protocol. To learn more about the RSA Disconnected Token protocol and its related costs, please contact your account manager[[File:GlobalSettings5. png|thumb|none|800px|The <strong>Global Settings</prestrong>link under the main menu]]==Prerequisites==In order :# Go to configure the Security tab > '''Password and Activation Policies > '''Under “Authentication Options”, toggle on '''TwoEnable Multi-Factor Authentication(MFA)'''.:# In the setting '''Roles with Time-Based One-Time Password (TOTP), '''include the roles that you want to enable multi-factor authentication for.:# Toggle on '''Enable Trusted Device''' if you will need would like users to be able to have bypass entering a code for a time period after the code has been successfully entered. If enabled, also enter the time period until the followingauthentication bypass expires.: # Scroll to the bottom of the page and click '''Save'''.
===Setting up Verification Codes for Email===<pre>Note:: [[File:2factor roles.png|220px|border]]3If you are using the SMTP Relay with an IP restriction for sending emails, ensure the IP of your environments (backup, testing, production) is in your IP list. Click on If you need to help with identifying the first hyperlink labelled '''User RolesIPs of your environments or have questions, reach out to our support team.'''</pre>
The list of available [[User Role|easiest way to set up MFA is through the email that was used for user roles]] in your system will be displayedregistration and login.
# When the user logs in using their email and password, they will be taken to a page where they can click a button labelled '''Send Code by Email.''' <br /> [[File:2022-11-ticket-139210-4.png|thumb|none|800px| The multi-factor authentication page lets the user choose between receiving the verification code via email or SMS (if applicable)]]# They will be prompted to enter a verification code that was sent to their email. <br /> [[File:2022-11-ticket-139210-4a.png|thumb|none|800px| The user will be prompted to enter a verifcation code sent to their email address]]# The user must open their email to copy the verification code. <br /> [[File: 2022-11-ticket-139210-5.png|thumb|none|800px| A sample email containing a temporary verification code]]# Enter the verification code into the field and then click '''Submit''' to finish authentication and log in to the system. <br /> [[File:2factor new role2022-11-ticket-139210-9.png|500pxthumb|none|800px|borderEntering the temporary verification code into the verification field]]
|-
||
'''Roles with Time-based One-time Password (TOTP)'''
||
Associates one or more roles with authentication proven through an authenticator app such as Google or Microsoft Authenticator.
=See Also=
:* [[User Role]]s
:* [[Email]]
[[Category:Security]]