=Overview=
When using '''Multi-Factor Authentication, '''each new is a method of authentication in which a user can use the Google Authenticator app is granted access to obtain one-time passwords which are calculated from time and/your SmartSimple Cloud system only after successfully presenting two or event-based algorithmsmore pieces of evidence to an authentication mechanism.
Most websites that a user can log into require a username and password, both "known" by the individual in order to log in. In short, this means that anyone who knows the correct username and password combination for a unique account can log into that account; thus, there is very little that can be done to identify that the individual logging is is actually the individual who owns the account.'''<strong> '''</strong>
The '''The security impact of Multi-Factor Authentication '''function provides a second factor - this can be something Authentication (MFA) is that someone has (for example, while a user may lose an access card) or some unique property of that person (for example, get duped into sharing a fingerprintpassword, or the odds of both happening to a code sent single user are dramatically reduced. Using MFA therefore enhances an organization's ability to ensure that no one is using illegitimate means to a personal mobile device)gain access.
The security impact of the '''Multi-Factor Authentication <strong> '''is that while a user may lose an access card or get duped into sharing a password, the odds of both happening to a single user are dramatically reduced. Using '''Multi-Factor Authentication '''therefore enhances an organization's ability to ensure that no one is using illegitimate means to gain access. </strong>
'''Multi-Factor Authentication '''is a required component of maintaining [[SmartSimple]]'s SOC2 security status. SmartSimple Cloud supports two different '''approaches to Multi-Factor Authentication '''approachesAuthentication:
* '''TOTP '''([https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm Time-based One-Time Password]Password (TOTP) - this technique uses an authentication app that is installed on a mobile phone * '''RSA Disconnected Token '''- this technique requires a physical phone or other personal device used to generate a one-time code .
<pre>This article deals specifically with the TOTP protocol. To learn more about the RSA Disconnected Token protocol and its related costs, please contact your account manager. </pre>==Prerequisites==In order Verification Code – a single use code sent by either Email or SMS to configure '''Multi-Factor Authentication, '''you will need to have the following: * [[Global User Administrator|System Administrator]] access - your [[User|a user]] [[User Role|role]] in your [[SmartSimple]] [[instance]] must be '''System Administrator.'''* Access to a mobile device with a two-factor authentication tool installed, such as Duo specified email address or Google Authenticator (available in Google Play and App Store). If you have not already downloaded an authentication app onto your mobile device, please do so prior to following the steps in the rest of the article.phone number
==Configuring a Role to Use Multi-Factor Authentication==
'''Multi-Factor Authentication '''is configured by [[User Role]]. For best practice, it is recommended to specifically create '''Multi-Factor Authentication '''as a new role and add it to the existing users. While '''Multi-Factor Authentication '''can be added to an existing role, it is not recommended because it will become more complex to manage. <br />For roles that have this feature enabled, the use of '''Multi-Factor Authentication '''becomes mandatory. This involves a drastic change in user experience, so SmartSimple recommends that this action be rolled out All settings related to users in small groups at the beginning of the process. The first step of the implementation process is to create this role in your [[SmartSimple]] [[instance]]. Follow the steps below in order to configure a [[User Role|user role]] to '''Multi-Factor Authentication: ''' 1. Click on the 9-square menu icon on the top right of your page. :: {{Icon-Menu}} 2. Under the heading '''Configuration, '''select '''Roles and Security.''' :: [[File:2factor roles.png|220px|border]]3. Click on the first hyperlink labelled '''User Roles.''' The list of available [[User Role|user roles]] in your system will be displayed. 4. Click on the '''+ icon '''on the top left in order to '''Create a New Role. ''' :: [[File:2factor create new user role.png|500px|border]] 4. The '''New Role '''page will be displayed. :: [[File:2factor new role.png|500px|border]] Fill out the following details: * '''Name: '''2 Factor Authentication (for clarification of the role purpose) * '''Caption: '''2 Factor Authentication (as the caption is typically the same or similar to the '''Name''') * '''Description: '''TOTP (for clarification of the role purpose) 5. In the '''Two Factor Authentication '''field, click into it and select the option '''Time-based One-time Password (TOTP).''' * '''Note''': If you select the '''None '''option, this means that '''t'''here will be no two-factor authentication enabled for this user role. When someone with this user role tries to enter the system, they are able to successfully log in by inputting just their correct username and password combo. 6. Click the '''Save '''button at the bottom of the page. The page will refresh with the role saved into the system. To check that your role has been successfully added: 1. Click the '''list icon '''in the top left row of buttons on the '''2 Factor Authentication '''Role page. :: [[File:Return to user roles.png|90px|border]]2. This will bring you to the [[List View Overview|list]] of all user roles in the system once more. You should now see the '''2 Factor Authentication '''role listed. :: [[File:2factor role.png|600px|border]]Once you see your newly created role among the list of user roles, then the role has been successfully added and is saved into the system. ==Adding Users to New Role==Once you have added the '''2 Factor Authentication '''role (and configured '''TOTP '''in the role details), then the next step is to add existing [[SmartSimple]] [[User|users]] into that role. For this process, you should remain on the '''2 Factor Authentication '''Role page. To do so, click the '''pencil icon '''next to the role name on the list of user roles. 1. On the left-hand side will be a menu: click into the tab titled '''Current Users. ''' :: [[File:2factor current users.png|500px|border]]2. The list of current users associated with this role will be displayed. If you have just created this role, there will be no users listed. Click the '''+ icon '''on the top left above the list in order to '''Add a User '''to the role. :: [[File:2factor add user.png|70px|border]]3. A list of all available [[User|users]] in your system will be displayed in a modal window. :: [[File:2factor add user to rolel.png|750px|border]] Select which users you would like to add to the role by checking the box next to their name in the list. 4. Click '''Add '''at the bottom of the page. 5. Any selected users will now be displayed in the list of '''Current Users '''for the '''2 Factor Authentication '''role. single location
:: [[File:2factor current users list# Navigate to Global Settings > Security > Password and Activation Policies.png|700px|border]]==Activating Users with # Scroll to Authentication Options and toggle on Enable Multi-Factor Authentication==After you have both added a '''2 Factor Authentication '''role and added '''Users '''into # Specify the roles that role, the next step is to activate those users. require authentication via TOTP and/or Verification Code
First NOTE: If new roles are added to the system, update the '''Activation Email Template '''in your [[SmartSimple]] system. the MFA configuration must also be updated
1. Click on the 9-square menu icon on the top right of the page. <br /><br />
:: {{Icon-Menu}}
2. Under the heading '''Configuration, '''select '''Global Settings. '''
:: [[File:Menu and global settings.png|500px|border]]3. Click into the '''Security Settings Explained'''tab.
4. Under the subheading '''Business Security Settings, '''select '''Password and Activation Policies.''' :: [[File:Password and activation policies global settings.png|500px|border]]5. Click into the second tab labelled '''Activation Email Templates. '''Ensure that the '''New User '''and '''Request Password '''templates contain an activation link (which should be denoted as https://@url@@activationlink@), and '''do not '''contain a temporary password, as in the example below: :: [[File:2factor email template.png|500px|border]]6. Save the template and return to the '''General '''tab in '''Password and Activation Policies.''' 7. Scroll until you find the field for '''Password Activation Settings '''- set the '''Activation link life span '''to '''24 hours'''. :: [[File:2factor activation link.png|250px|border]]8. Click '''Save. ''' For the next series of steps, return to the '''2 Factor Authentication''' role page ('''Roles and Security''' > '''User Roles'''). 1. Go into the '''Current Users '''tab from the left-hand side menu. 2. Select one or more users from the '''Current Users '''list by checking the box next to their name; the following buttons will appear: :: [[File:2factor buttons.png|200px|border]]{| class="wikitable"
|-
||
'''Add User(s) Setting'''
||'''+ iconDescription'''
||As mentioned previously, clicking this button will allow you to select from the total list of users in your [[SmartSimple]] [[instance]] to add into this role.
|-
||
'''Remove User(s)'''Enable Multi-Factor Authentication
'''- icon'''||Enables MFA for the entire instance but does not have any impact unless user roles are specified.
||Clicking this button will allow you to remove the selected user(s) from this role.
|-
||
'''Update Geocode'''Roles with Time-based One-time Password (TOTP)
'''reload icon'''||Associates one or more roles with authentication proven through an authenticator App such as Google or Microsoft Authenticator.
||Clicking the''' Update Geocode '''button will allow you to update the geocode (provision of geographical coordinates tied to user's inputted locations). This would be in the use-case of a contact who is using a new mobile device.
|-
||
'''Send Password'''Roles with Verification Code via SMS or Email
'''key icon'''||Associates one or more roles with authentication proved through either Email or an SMS message.
||Clicking this button will allow you to send passwords The user can choose at the point of verification to the selected user(s). This will trigger receive an activation email to containing the user, including their activation link for login. |}3. Click on the '''key icon '''next to '''Send Password '''to one-time-code or an SMS message containing the selected usersone-time code.
==Logging in with Multi-Factor Authentication==<br />Once a user has been re-activated in the system, they should receive SMS must be enabled by SmartSimple and will incur an email with an activation linkadditional cost. The reason that we have re-activated these users is because they were added Please speak to the '''Two Factor Authentication '''role that specifically impacts the login and activation process into your [[SmartSimple]] systemaccount manager for more information.
The activation link their email will direct to a login screen that will display the account activation page. This screen includes fields to create and confirm a new password, CAPTCHA validation if required, and a '''QR code. '''|-||Enable Trusted Device
===Validating the QR Code===||If this is the first time the user has had a code generated then the screen should include a '''QR Code''' that can be scanned using Google Authenticator. The actual authentication code This option is also provided in case there are issues with used to enable the use of Google Authenticatortrusted device feature.
[[Image:EnableTwoFactor 3If this option is selected then every user (via their role) associated with MFA will not be prompted every time they attempt to log into the system.png|500px|border]]
* If the user has an existing QA Code then the user can click a button to generate a new code and re|-sync or can proceed to the login page.||Trusted Device Expiry
Users will then be prompted to enter the one-time code after entering their user name and password. <br />[[Image:EnableTwoFactor3.png|500px|border]] Enter your code including spaces along with your password and click '''Submit.''' Once a user has undergone this last step Sets the frequency of actually scanning the '''QR Code '''and inputting the generated code for authenticationMFA prompt, they have been activated successfully with '''Multi-Factor Authentication '''into your [[SmartSimple]] systembased on the number of days specified.
If the number is set to one, the user will be prompted every day for an MFA verification code, if set to five then the user will be prompted every five days.
|}
==Tips==
* Best practice is to create a '''Multi-Factor Authentication '''role and add this role ''to ''existing users.
* Be aware that this authentication process is a complete change in user experience. We recommend testing in small batches, or on individual users, prior to applying this role to a large group of users.
* When beginning this process, add this role to individual users for testing.
* Codes must include spaces to correctly validate
* Each code must be entered prior to expiry in the Authenticator app.
* In the interest of time, it is best to complete '''CAPTCHA validation''' prior to entering Authenticator code.
* In the event of a user using a new device, the code can be re-generated and an activation email re-sent to the user.
* Ensure that the email templates '''do not '''contain a temporary password - this will interfere with the activation link functionality.
* Make sure to re-save '''Activation link life-span '''to '''24 hours '''during setup to give users a reasonable amount of time to log into the system,
* If both [[Single Sign-On]] and Multi-Factor Authentication are in use, there is a Single Sign-On setting option that will control whether or not Multi-Factor Authentication will be required when a user authenticates via SSO.
==See Also==