Difference between revisions of "Multi-Factor Authentication"

From SmartWiki
Jump to: navigation, search
(Configuration - Advanced)
m (Bring Your Own SMS Provider License)
 
(96 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
=Overview=
 
=Overview=
'''Multi-Factor Authentication''' is a method of authentication in which a user is granted access to your SmartSimple Cloud system only after successfully presenting two or more pieces of evidence to an authentication mechanism.
+
'''Multi-Factor Authentication (MFA)''' is a method of authentication in which a user is granted access to your SmartSimple Cloud system only after successfully presenting two or more pieces of evidence to an authentication mechanism.
  
The security impact of '''Multi-Factor Authentication (MFA)''' is that while a user may lose an access card or get tricked into sharing a password, the odds of both happening to a single user are dramatically reduced. Using MFA therefore enhances an organization's ability to ensure that no one is using illegitimate means to gain access
+
The security impact of MFA is that while a user might lose their authentication device or get tricked into sharing a password, the odds of both happening to a single user are dramatically reduced. Using MFA therefore enhances an organization's security by requiring users to identify themselves with more than their login credentials
  
  
SmartSimple Cloud supports two different approaches to '''Multi-Factor Authentication''':
+
SmartSimple Cloud supports two ways of implementing MFA:
  
* '''Time-based One-Time Password (TOTP)''' via an authenticator app.
+
* '''Time-based One-Time Password (TOTP) '''via an authenticator app, which is more secure and suitable for users with increased access such as global administrators or internal staff
 +
* '''Single Use Verification Code '''sent via email or SMS, which is better suited for external users or users who login infrequently
  
: '''IMPORTANT''': <span style="color: #ff0000;">'''YOU MUST'''</span> setup your authenticator app and link to your user account '''BEFORE''' enabling this type of MFA if you are an existing user. Additional steps are required. Please see below for details.
 
* '''Single Use Verification Code '''sent by either Email or SMS.
 
  
:: No additional configuration steps required for this type of MFA.
+
'''Note:''' MFA and password reset emails are sent from non-production environments as of the March 2023 upgrade. If you wish to add role restrictions for access to your backup environment, the setting is located at '''Menu''' icon > '''Global Settings''' > '''Security '''tab > '''System Feature Permissions''' > '''Feature''' tab > '''Restrict Login to Backup Environment to these Roles'''. When testing MFA and password reset emails on non-production environments, always use a test user and test email.
=Configuration - Essentials=
+
 
All settings related to multi-factor authentication are in a single location
+
=Configuration=
 +
To toggle on multi-factor authentication, follow these steps:
  
 
:# Navigate to '''Global Settings''' > '''Security''' > '''Password and Activation Policies'''
 
:# Navigate to '''Global Settings''' > '''Security''' > '''Password and Activation Policies'''
 
:# Scroll to''' Authentication Options''' and toggle on '''Enable Multi-Factor Authentication'''
 
:# Scroll to''' Authentication Options''' and toggle on '''Enable Multi-Factor Authentication'''
:# Specify the roles that require authentication via TOTP and/or Verification Code
+
:# Specify the roles that require authentication via TOTP and/or Verification Code. If the same role is added to both methods, only TOTP will be used.
 +
 
 +
        '''<u>NOTE:</u>''' If you select the '''Everyone''' option, you do not need to update this setting when new roles are created.
 +
 
  
        '''<u>NOTE:</u>''' If new roles are added to the system, the MFA configuration must also be updated 
 
  
 +
[[File:Authentication Options.png|thumb|none|800px|Authentication options for time-based one-time passwords (TOTP) and verification codes via email or SMS]]
 +
 +
==Time-Based One-Time Password (TOTP) Implementation==
 +
A time-based one-time password can be generated using an authentication device (such as a mobile phone) in order to allow for an additional security step to authenticate logins.
 +
 +
===Setting up TOTP Multi-Factor Authentication for Specific Roles===
 +
:# In your SmartSimple instance (logged in as Global Admin), go to''' Menu Icon''' > '''Global Settings'''.<br /> [[File:GlobalSettings5.png|thumb|none|800px|The <strong>Global Settings</strong> link under the main menu]]
 +
:# Go to the Security tab > '''Password and Activation Policies > '''Under “Authentication Options”, toggle on '''Enable Multi-Factor Authentication (MFA)'''.
 +
:# In the setting '''Roles with Time-Based One-Time Password (TOTP),''' include the roles that you want to enable multi-factor authentication for.
 +
:# Toggle on '''Enable Trusted Device''' if you would like users to be able to bypass entering a code for a time period after the code has been successfully entered. If enabled, also enter the time period until the authentication bypass expires.
 +
:# Scroll to the bottom of the page and click '''Save'''.
 +
 +
===Logging in the First Time with TOTP===
 +
In order to use TOTP effectively, users must first download an authenticator application onto their mobile devices. Popular authentication apps include [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_CA&gl=US&pli=1 Google Authenticator], [https://www.microsoft.com/en-us/security/mobile-authenticator-app Microsoft Authenticator], or [https://play.google.com/store/apps/details?id=com.twofasapp 2FAS].
 +
When logging into the system for the first time after TOTP has been activated on the user's role, the user must first follow these steps:
 +
 +
:# If user has TOTP enabled on their account, they will be presented with the following screen the next time they log in: <br /> [[File:MFASetupTOTP.png|thumb|none|800px|TOTP setup page with instructions]]
 +
:# Follow the instructions listed on the screen. Start by installing an authenticator app on your mobile device. 
 +
:# On your mobile device, open the authenticator app and select the option to add a new device or scan a QR code. Each app will have different actions. <br /> [[File:ScanQR.jpg|thumb|none|800px| Interface for Google Authenticator]]
 +
:# The app may prompt you for a QR code or a secret key. Back on your SmartSimple MFA setup page, click the button labeled '''Show TOTP Key and QR Code'''. This will reveal the QR and secret key used with an authentication app. <br /> [[File:QRandSecretCodeScreen.png|thumb|none|800px|<strong>TOTP QR Code</strong> and <strong>TOTP Secret Key</strong> revealed]]
 +
:# Use the mobile app to scan the QR code or manually enter the secret key into the app. Once complete, a new device will be added to your list in the app. 
 +
:# The mobile app will generate a time-based verification code. Enter this code into the field labelled '''Enter Verification Code''' on the setup page. 
 +
:# Click '''Submit. '''
 +
 +
===If the Mobile Device Associated with TOTP is Misplaced===
 +
<pre>NOTE: If a mobile device associated with TOTP is misplaced, the TOTP must be reset by a Global Administrator or by a user in a role with the permission to reset the TOTP for other user roles.</pre>
 +
In the case of a user's device being misplaced, the following steps will allow an internal user in the roles listed above to reset a user's TOTP:
 +
 +
:# Navigate to the user's profile who wishes to have TOTP credentials reset.
 +
:# From the '''Actions''' dropdown, select '''Edit Roles and Access'''.
 +
:# In the following modal window, select the button labeled '''Reset TOTP'''. <br /> [[File:ResetButton.png|thumb|none|800px]]
 +
:# The user may now login as normal, following the prompts on the subsequent '''Set Up Multi-Factor Authentication''' screen.
  
 +
===Determining Which Roles Can Reset TOTP===
 +
:# In your SmartSimple instance (logged in as a '''Global Administrator''') in the '''Main Menu''', select '''Global Settings'''.<br /> [[File:GlobalSettings5.png|thumb|none|800px| The <strong>Global Settings</strong> link under the main menu]]
 +
:# Navigate to the '''Users''' tab and click '''Roles'''.
 +
:# '''Edit''' the role that you would like to grant the ability to reset TOTP on behalf of other users. For security best practice, this role should be an internal role only.
 +
:# Select the '''Permissions''' tab.
 +
:# In the field '''Roles this role can reset TOTP for''', select the other roles that this role can reset TOTP on behalf of.<br />
 +
'''Note:''' In addition to the selected roles, you must also have permissions to activate users ('''Roles this role can activate''' setting) as this is a part of the activation process.<br /> [[File:RolesTOTPReset.png|thumb|none|800px]]
 +
:# Click '''Save'''.
  
[[File:Authentication Options.png|thumb|none|800px|Authentication Options]]
+
==Single-Use Verification Code Implementation==
 +
A single-use verification code is a uniquely generated number that is sent to the user via an email or SMS text. Since verification codes typically expire within a few minutes, each time the user logs into the system, they will be prompted for their single-use code.
  
 
===Setting up Verification Codes for Email===
 
===Setting up Verification Codes for Email===
The easiest way to set up MFA is through the email that was used for user registration and login. Be sure to follow the instructions carefully to avoid accidentally locking yourself or others out of their accounts.
+
<pre>Note: If you are using the SMTP Relay with an IP restriction for sending emails, ensure the IP of your environments (backup, testing, production) is in your IP list. If you need to help with identifying the IPs of your environments or have questions, reach out to our support team.</pre>
 +
 
 +
The easiest way to set up MFA is through the email that was used for user registration and login.
  
 
# Go to '''Menu Icon''' > '''Global Settings''' > '''Security''' tab > '''Password and Activation Policies''' and then scroll down to the section marked '''Authentication Options'''.
 
# Go to '''Menu Icon''' > '''Global Settings''' > '''Security''' tab > '''Password and Activation Policies''' and then scroll down to the section marked '''Authentication Options'''.
 
# Toggle on '''Enable Multi-Factor Authentication'''. You will see additional settings displayed for different authentication methods. 
 
# Toggle on '''Enable Multi-Factor Authentication'''. You will see additional settings displayed for different authentication methods. 
# Under the '''Roles with Verification Code via SMS or Email''' setting, you will need to decide which roles need to be authenticated via a verification code sent through the email address used for login. Ensure that users assigned to this role have not opted out of receiving system emails. Click the '''Save''' button at the bottom of the page to activate changes.<br /> [[File:2022-11-ticket-139210-3.png|thumb|none|500px]]
+
# Under the '''Roles with Verification Code via SMS or Email''' setting, you will need to decide which roles need to be authenticated via a verification code sent through the email address used for login. Click the '''Save''' button at the bottom of the page to activate changes.<br /> [[File:2022-11-ticket-139210-3.png|thumb|none|800px| Adding a specific role for SMS or email verification]]
 
 
  
 
===Logging in with a Verification Code from Email===
 
===Logging in with a Verification Code from Email===
 
When a user has been assigned a role that requires a verification code, they can login using the following steps:
 
When a user has been assigned a role that requires a verification code, they can login using the following steps:
  
# When the user logs in using their email and password, they will be prompted to enter a verification code that was sent to their email. <br /> [[File:2022-11-ticket-139210-4.png|thumb|none|500px]]
+
# When the user logs in using their email and password, they will be taken to a page where they can click a button labelled '''Send Code by Email.''' <br /> [[File:2022-11-ticket-139210-4.png|thumb|none|800px| The multi-factor authentication page lets the user choose between receiving the verification code via email or SMS (if applicable)]]
# The user can check their email to copy the verification number. <br /> [[File:2022-11-ticket-139210-5.png|thumb|none|500px]]
+
# They will be prompted to enter a verification code that was sent to their email. <br /> [[File:2022-11-ticket-139210-4a.png|thumb|none|800px| The user will be prompted to enter a verifcation code sent to their email address]]
# Enter the verification code into the field and then click '''Submit''' to finish authenticated login.
+
# The user must open their email to copy the verification code. <br /> [[File:2022-11-ticket-139210-5.png|thumb|none|800px| A sample email containing a temporary verification code]]
 +
# Enter the verification code into the field and then click '''Submit''' to finish authentication and log in to the system. <br /> [[File:2022-11-ticket-139210-9.png|thumb|none|800px| Entering the temporary verification code into the verification field]]
  
 
===Setting up Verification Codes for SMS===
 
===Setting up Verification Codes for SMS===
In order for users to receive SMS messages, a SmartSimple administrator must first enable SMS services by going to '''Menu Icon''' > '''Global Settings''' > '''Communications''' tab > Toggle on '''Enable SMS Notification'''. Ensure that the target users have an active mobile number filled into this standard field. If the phone number field is empty, users will not be able to receive any SMS messages for login and may be locked out of their accounts once activated.  
+
SMS (text messaging) is paid service that must be enabled for you by SmartSimple. Contact Support or your account representative for more details. SmartSimple will enable SMS services by going to '''Menu Icon''' > '''Global Settings''' > '''Communications''' tab > Toggle on '''Enable SMS Notification'''. Ensure that the target users have an active mobile number filled into this standard field. If the phone number field is empty, users will not be able to receive any SMS messages for login.
[[File:2022-11-ticket-139210-8.png|thumb|none|500px]]
+
[[File:2022-11-ticket-139210-8.png|thumb|none|800px]]
 +
 
 +
===Bring Your Own SMS Provider License===
 +
Clients have the option to set up their own Vonage account to send SMS messages from their system. For more information, visit the Vonage website to [https://www.vonage.com/communications-apis/sms/ read about their SMS API]. Once your account is set up, navigate to '''Global Settings''' > '''Integrations''' tab > '''Integration Key Management''' > Create an integration key with the '''Type''' set to "Vonage." You'll need to enter your Vonage API Key, API Secret, and a North American or International virtual number.
 +
 
 +
'''Note''': SmartSimple representatives will still need to enable the SMS feature in your system.
  
 
===Logging in with a Verification Codes for SMS===
 
===Logging in with a Verification Codes for SMS===
# When the user logs in, they will be presented with the option to receive a verification code via email (if available) or through SMS. The user can click '''Send Code by Text Message'''. <br /> [[File:2022-11-ticket-139210-6.png|thumb|none|500px]]
+
# When the user logs in, they will be presented with the option to receive a verification code via email or through SMS. The user can click '''Send Code by Text Message'''. <br /> [[File:2022-11-ticket-139210-6.png|thumb|none|800px| Users have the option of receiving the code via email or through SMS]]
# The user can check their mobile messages, enter the code into the field, and then click '''Submit''' to finish authenticated login. <br /> [[File:2022-11-ticket-139210-7.png|thumb|none|500px]]
+
# The user can check their mobile messages, enter the code into the field, and then click '''Submit''' to finish authentication and log in to the system. <br /> [[File:2022-11-ticket-139210-7.png|thumb|none|800px| Once the verification code has been sent, the user will be prompted to enter the code into the verification field]]
  
=Configuration - Advanced=
+
==Bypassing Multi-Factor Authentication for Single Sign-On==
===Enforce TOTP Multi-Factor Authentication for Particular Roles===
+
If multi-factor authentication has been enabled, it can be bypassed for users logging in via single sign-on (SSO). To bypass MFA, go to '''Global Settings''' > '''Integrations''' tab > '''Single Sign-On''' > Edit an SSO setting > Toggle on '''Bypass Multi-Factor Authentication (MFA) when logging in with Single Sign-On (SSO)'''.
:# In your SmartSimple instance (logged in as Global Admin) in the '''Configuration Menu''' (9-Square Grid Icon), select '''Global Settings'''.<br /> [[Image:GlobalSettings5.png|250px]]
+
[[File:SSO-Bypass-MFA.png|thumb|none|800px| Multi-factor authentication can be bypassed in the single sign-on settings]]
:# Select the '''Security''' Tab from the Global Settings.
 
:# Click '''Password and Activation Policies'''.
 
:# Under “Authentication Options”, toggle on '''Enable Multi-Factor Authentication (MFA)'''.
 
:# In the setting '''Roles with Time-Based One-Time Password (TOTP)''' include the roles that you will be adding 2-Factor Authentication for. Note that the existing users in these roles must first scan the QR Code on their mobile device before this setting should be toggled on.
 
:# Toggle on '''Enable Trusted Device''' if you would like users to be able to bypass entering a code for a time period after the code has been successfully entered. If enabled, also enter the time period that the 2-Factor Authentication will be bypassed for trusted users.
 
:# Scroll to the bottom of the page and click '''Save'''.
 
:# To test your MFA, log out of your account, and then log back in. You should now see a page following login called “Set Up Multi-Factor Authentication.” Follow the instructions in the following section to set up TOTP Multi-Factor Authentication. <br /> [[File:MFASetupTOTP.png|thumb|none|800px|TOTP Setup Page.]]
 
  
===Logging in the First Time with TOTP for Existing Users===
+
==Setting up a Default Email Address==
In order to use TOTP effectively, users must first download an authenticator application onto their mobile devices. Popular authentication apps include [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_CA&gl=US&pli=1 Google Authenticator], [https://www.microsoft.com/en-us/security/mobile-authenticator-app Microsoft Authenticator], or [https://play.google.com/store/apps/details?id=com.twofasapp 2FAS].
+
If you are using SMTP relay and/or have a dedicated instance (your own domain), make sure you have set up the default email address and that the default email address matches your domain. Otherwise your default email address should be set to '''donotreply@smartsimplemailer.com''' (US) or '''donotreply@smartsimplemailer.eu''' (Europe) or '''donotreply@smartsimplemailer.ca''' (Canada). Follow these steps to set up a default email address:
When logging into the system for the first time after TOTP has been activated on the user's role, the user must first follow these steps:
 
 
 
:# From the login page, enter your email and password as usual to log in.
 
:# You will then be presented with the following screen: <br /> [[File:MFASetupTOTP.png|thumb|none|800px|TOTP Setup Page.]]
 
:# Follow the instructions listed on the screen, starting by installing an authenticator app on your mobile device.
 
:# On your mobile device, open the authenticator app and select “Add new device” or similar. Then select “Scan QR Code” or similar. <br /> [[Image:ScanQR.jpg|500px]]
 
:# Clicking the button "Show TOTP Key and QR Code" reveals the QR and secret code used with an authentication app. <br /> [[File:QRandSecretCodeScreen.png|thumb|none|300px|QR and Secret Code Screen.]]
 
:# After scanning the QR Code or entering the '''TOTP Secret Key''' in your Authenticator app, a new device should be added to your list. Alternatively, you could also use the '''TOTP Secret Key''' as opposed to the '''TOTP QR Code'''.
 
:# Next, enter the TOTP '''Verification Code''' in the modal window.
 
:# Press '''Submit''' when done.
 
  
===If the Mobile device Associated with TOTP is Misplaced===
+
# Go to '''Menu''' icon > '''Global Settings''' > '''Communications''' tab
<strong>NOTE:</strong> If a mobile device associated with TOTP is misplaced, TOTP must be reset by a Global Admin, or a user in a role with <strong>Role can reset TOTP for</strong> permissions in the role's setting page (More information detailed in the following section).
+
# Click '''Email Options and Security'''
In the case of a user's device being misplaced, the following steps will allow an internal user in the roles listed above to reset a user's TOTP:
+
# Toggle on '''Enable Default From Address'''
 +
# Enter your desired '''From Address'''
 +
# Click '''Save'''
  
:# First, navigate to the user's profile who wishes to have TOTP credentials reset.
 
:# Next, from the '''Actions''' dropdown, select '''Edit Roles and Access'''.
 
:# In the following modal window, select the button labeled '''Reset TOTP'''. Note that the button will disappear after the reset has been initiated.
 
:# The user may now login as normal, following the prompts on the subsequent '''Set Up Multi-Factor Authentication''' screen.
 
  
===Determining which roles can reset TOTP===
+
[[File:default-email.png|thumb|none|800px|Set up a default email address to help ensure that verification emails do not get blocked by the SMTP relay]]
:# In your SmartSimple instance (logged in as Global Admin) in the '''Configuration Menu''' (9-Square Grid Icon), select '''Global Settings'''.<br /> [[Image:GlobalSettings5.png|250px]]
 
:# Select the '''Users''' Tab from the Global Settings.
 
:# Click '''Roles'''.
 
:# Select '''Edit''' beside the role that you would like to grant permission to reset TOTP on behalf of other users. For security best practices, this role should be an internal role only.
 
:# Select the '''Permissions''' tab.
 
:# In the field '''Roles this role can reset TOTP for''', select the roles that this role can reset TOTP on behalf of.
 
:# Click '''Save''' when complete.
 
  
 
=Settings Explained=
 
=Settings Explained=
Line 119: Line 143:
  
 
| style="border-color: #;"|
 
| style="border-color: #;"|
Associates one or more roles with authentication proved through either email or an SMS message. The user can choose at the point of verification to receive an email containing the one-time-code or an SMS message containing the one-time code. SMS must be enabled by SmartSimple and will incur an additional cost. Please speak to your account manager for more information.
+
Associates one or more roles with authentication proved through either email or an SMS message. The user can choose at the point of verification to receive an email containing the one-time code or an SMS message containing the one-time code. SMS must be enabled by SmartSimple and will incur an additional cost. Please speak to Support or your account manager for more information.
  
 
|-
 
|-
Line 126: Line 150:
  
 
||
 
||
This option is used to enable the trusted device feature. If this option is selected then every user (via their role) associated with MFA will not be prompted every time they attempt to log into the system.
+
This option is used to bypass MFA authentication for specific roles on specific devices. 
  
 
|-
 
|-
Line 133: Line 157:
  
 
||
 
||
Sets the frequency of the MFA prompt, based on the number of days specified. If the number is set to one, the user will be prompted every day for an MFA verification code, if set to five then the user will be prompted every five days.
+
Sets the frequency of the MFA prompt, based on the number of days specified. If the number is set to one, the user will be prompted every day for an MFA verification code. If its set to five, then the user will be prompted every five days.
  
 
|}
 
|}
Line 139: Line 163:
 
=See Also=
 
=See Also=
 
:* [[User Role]]s
 
:* [[User Role]]s
 +
:* [[Email]]
 
[[Category:Security]]
 
[[Category:Security]]

Latest revision as of 14:48, 9 August 2024

Overview

Multi-Factor Authentication (MFA) is a method of authentication in which a user is granted access to your SmartSimple Cloud system only after successfully presenting two or more pieces of evidence to an authentication mechanism.

The security impact of MFA is that while a user might lose their authentication device or get tricked into sharing a password, the odds of both happening to a single user are dramatically reduced. Using MFA therefore enhances an organization's security by requiring users to identify themselves with more than their login credentials. 


SmartSimple Cloud supports two ways of implementing MFA:

  • Time-based One-Time Password (TOTP) via an authenticator app, which is more secure and suitable for users with increased access such as global administrators or internal staff
  • Single Use Verification Code sent via email or SMS, which is better suited for external users or users who login infrequently


Note: MFA and password reset emails are sent from non-production environments as of the March 2023 upgrade. If you wish to add role restrictions for access to your backup environment, the setting is located at Menu icon > Global Settings > Security tab > System Feature Permissions > Feature tab > Restrict Login to Backup Environment to these Roles. When testing MFA and password reset emails on non-production environments, always use a test user and test email.

Configuration

To toggle on multi-factor authentication, follow these steps:

  1. Navigate to Global Settings > Security > Password and Activation Policies
  2. Scroll to Authentication Options and toggle on Enable Multi-Factor Authentication
  3. Specify the roles that require authentication via TOTP and/or Verification Code. If the same role is added to both methods, only TOTP will be used.

        NOTE: If you select the Everyone option, you do not need to update this setting when new roles are created.


Authentication options for time-based one-time passwords (TOTP) and verification codes via email or SMS

Time-Based One-Time Password (TOTP) Implementation

A time-based one-time password can be generated using an authentication device (such as a mobile phone) in order to allow for an additional security step to authenticate logins.

Setting up TOTP Multi-Factor Authentication for Specific Roles

  1. In your SmartSimple instance (logged in as Global Admin), go to Menu IconGlobal Settings.
    The Global Settings link under the main menu
  2. Go to the Security tab > Password and Activation Policies > Under “Authentication Options”, toggle on Enable Multi-Factor Authentication (MFA).
  3. In the setting Roles with Time-Based One-Time Password (TOTP), include the roles that you want to enable multi-factor authentication for.
  4. Toggle on Enable Trusted Device if you would like users to be able to bypass entering a code for a time period after the code has been successfully entered. If enabled, also enter the time period until the authentication bypass expires.
  5. Scroll to the bottom of the page and click Save.

Logging in the First Time with TOTP

In order to use TOTP effectively, users must first download an authenticator application onto their mobile devices. Popular authentication apps include Google Authenticator, Microsoft Authenticator, or 2FAS. When logging into the system for the first time after TOTP has been activated on the user's role, the user must first follow these steps:

  1. If user has TOTP enabled on their account, they will be presented with the following screen the next time they log in: 
    TOTP setup page with instructions
  2. Follow the instructions listed on the screen. Start by installing an authenticator app on your mobile device. 
  3. On your mobile device, open the authenticator app and select the option to add a new device or scan a QR code. Each app will have different actions. 
    Interface for Google Authenticator
  4. The app may prompt you for a QR code or a secret key. Back on your SmartSimple MFA setup page, click the button labeled Show TOTP Key and QR Code. This will reveal the QR and secret key used with an authentication app.
    TOTP QR Code and TOTP Secret Key revealed
  5. Use the mobile app to scan the QR code or manually enter the secret key into the app. Once complete, a new device will be added to your list in the app. 
  6. The mobile app will generate a time-based verification code. Enter this code into the field labelled Enter Verification Code on the setup page. 
  7. Click Submit. 

If the Mobile Device Associated with TOTP is Misplaced

NOTE: If a mobile device associated with TOTP is misplaced, the TOTP must be reset by a Global Administrator or by a user in a role with the permission to reset the TOTP for other user roles.

In the case of a user's device being misplaced, the following steps will allow an internal user in the roles listed above to reset a user's TOTP:

  1. Navigate to the user's profile who wishes to have TOTP credentials reset.
  2. From the Actions dropdown, select Edit Roles and Access.
  3. In the following modal window, select the button labeled Reset TOTP.
    ResetButton.png
  4. The user may now login as normal, following the prompts on the subsequent Set Up Multi-Factor Authentication screen.

Determining Which Roles Can Reset TOTP

  1. In your SmartSimple instance (logged in as a Global Administrator) in the Main Menu, select Global Settings.
    The Global Settings link under the main menu
  2. Navigate to the Users tab and click Roles.
  3. Edit the role that you would like to grant the ability to reset TOTP on behalf of other users. For security best practice, this role should be an internal role only.
  4. Select the Permissions tab.
  5. In the field Roles this role can reset TOTP for, select the other roles that this role can reset TOTP on behalf of.
Note: In addition to the selected roles, you must also have permissions to activate users (Roles this role can activate setting) as this is a part of the activation process.
RolesTOTPReset.png
  1. Click Save.

Single-Use Verification Code Implementation

A single-use verification code is a uniquely generated number that is sent to the user via an email or SMS text. Since verification codes typically expire within a few minutes, each time the user logs into the system, they will be prompted for their single-use code.

Setting up Verification Codes for Email

Note: If you are using the SMTP Relay with an IP restriction for sending emails, ensure the IP of your environments (backup, testing, production) is in your IP list. If you need to help with identifying the IPs of your environments or have questions, reach out to our support team.

The easiest way to set up MFA is through the email that was used for user registration and login.

  1. Go to Menu Icon > Global Settings > Security tab > Password and Activation Policies and then scroll down to the section marked Authentication Options.
  2. Toggle on Enable Multi-Factor Authentication. You will see additional settings displayed for different authentication methods. 
  3. Under the Roles with Verification Code via SMS or Email setting, you will need to decide which roles need to be authenticated via a verification code sent through the email address used for login. Click the Save button at the bottom of the page to activate changes.
    Adding a specific role for SMS or email verification

Logging in with a Verification Code from Email

When a user has been assigned a role that requires a verification code, they can login using the following steps:

  1. When the user logs in using their email and password, they will be taken to a page where they can click a button labelled Send Code by Email.
    The multi-factor authentication page lets the user choose between receiving the verification code via email or SMS (if applicable)
  2. They will be prompted to enter a verification code that was sent to their email.
    The user will be prompted to enter a verifcation code sent to their email address
  3. The user must open their email to copy the verification code.
    A sample email containing a temporary verification code
  4. Enter the verification code into the field and then click Submit to finish authentication and log in to the system.
    Entering the temporary verification code into the verification field

Setting up Verification Codes for SMS

SMS (text messaging) is paid service that must be enabled for you by SmartSimple. Contact Support or your account representative for more details. SmartSimple will enable SMS services by going to Menu Icon > Global Settings > Communications tab > Toggle on Enable SMS Notification. Ensure that the target users have an active mobile number filled into this standard field. If the phone number field is empty, users will not be able to receive any SMS messages for login.

2022-11-ticket-139210-8.png

Bring Your Own SMS Provider License

Clients have the option to set up their own Vonage account to send SMS messages from their system. For more information, visit the Vonage website to read about their SMS API. Once your account is set up, navigate to Global Settings > Integrations tab > Integration Key Management > Create an integration key with the Type set to "Vonage." You'll need to enter your Vonage API Key, API Secret, and a North American or International virtual number.

Note: SmartSimple representatives will still need to enable the SMS feature in your system.

Logging in with a Verification Codes for SMS

  1. When the user logs in, they will be presented with the option to receive a verification code via email or through SMS. The user can click Send Code by Text Message.
    Users have the option of receiving the code via email or through SMS
  2. The user can check their mobile messages, enter the code into the field, and then click Submit to finish authentication and log in to the system.
    Once the verification code has been sent, the user will be prompted to enter the code into the verification field

Bypassing Multi-Factor Authentication for Single Sign-On

If multi-factor authentication has been enabled, it can be bypassed for users logging in via single sign-on (SSO). To bypass MFA, go to Global Settings > Integrations tab > Single Sign-On > Edit an SSO setting > Toggle on Bypass Multi-Factor Authentication (MFA) when logging in with Single Sign-On (SSO).

Multi-factor authentication can be bypassed in the single sign-on settings

Setting up a Default Email Address

If you are using SMTP relay and/or have a dedicated instance (your own domain), make sure you have set up the default email address and that the default email address matches your domain. Otherwise your default email address should be set to donotreply@smartsimplemailer.com (US) or donotreply@smartsimplemailer.eu (Europe) or donotreply@smartsimplemailer.ca (Canada). Follow these steps to set up a default email address:

  1. Go to Menu icon > Global Settings > Communications tab
  2. Click Email Options and Security
  3. Toggle on Enable Default From Address
  4. Enter your desired From Address
  5. Click Save


Set up a default email address to help ensure that verification emails do not get blocked by the SMTP relay

Settings Explained

Setting

Description

Enable Multi-Factor Authentication

Enables MFA for the entire instance but does not have any impact unless user roles are specified.

Roles with Time-based One-time Password (TOTP)

Associates one or more roles with authentication proven through an authenticator app such as Google or Microsoft Authenticator.  

Roles with Verification Code via SMS or Email

Associates one or more roles with authentication proved through either email or an SMS message. The user can choose at the point of verification to receive an email containing the one-time code or an SMS message containing the one-time code. SMS must be enabled by SmartSimple and will incur an additional cost. Please speak to Support or your account manager for more information.

Enable Trusted Device

This option is used to bypass MFA authentication for specific roles on specific devices. 

Trusted Device Expiry

Sets the frequency of the MFA prompt, based on the number of days specified. If the number is set to one, the user will be prompted every day for an MFA verification code. If its set to five, then the user will be prompted every five days.

See Also