Smartstaff
2,091
edits
Changes
m
When using '''Multi-Factor Authentication, (MFA)'''each new is a method of authentication in which a user can use the Google Authenticator app is granted access to obtain one-time passwords which are calculated from time and/your SmartSimple Cloud system only after successfully presenting two or event-based algorithmsmore pieces of evidence to an authentication mechanism.
Most websites The security impact of MFA is that a user can log while a user might lose their authentication device or get tricked into require sharing a username and password, the odds of both "known" by the individual in order happening to log ina single user are dramatically reduced. In short, this means that anyone who knows the correct username and password combination for a unique account can log into that account; thus, there is very little that can be done Using MFA therefore enhances an organization's security by requiring users to identify that the individual logging is is actually the individual who owns the accountthemselves with more than their login credentials.
The '''Multi-Factor Authentication '''function provides a second factor - this can be something that someone has (for example, an access card) or some unique property of that person (for example, a fingerprint, or a code sent to a personal mobile device).
The security impact SmartSimple Cloud supports two ways of the '''Multi-Factor Authentication '''is that while a user may lose an access card or get duped into sharing a password, the odds of both happening to a single user are dramatically reduced. Using '''Multi-Factor Authentication '''therefore enhances an organization's ability to ensure that no one is using illegitimate means to gain access. implementing MFA:
* '''TOTP '''([https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm Time-based One-Time Password]) - this technique uses an authentication app that is installed on a mobile phone
* '''RSA Disconnected Token '''- this technique requires a physical device used to generate a one-time code
<pre>This article deals specifically with '''Note:''' MFA and password reset emails are sent from non-production environments as of the TOTP protocolMarch 2023 upgrade. To learn more about If you wish to add role restrictions for access to your backup environment, the RSA Disconnected Token protocol and its related costs, please contact your account manager. </presetting is located at '''Menu''' icon > '''Global Settings''' > '''Security '''tab > '''System Feature Permissions''' >==Prerequisites==In order to configure '''Multi-Factor Authentication, Feature''' tab > '''you will need Restrict Login to Backup Environment to have the following: these Roles'''. When testing MFA and password reset emails on non-production environments, always use a test user and test email.
* [[Global User Administrator|System Administrator]] access - your [[User|user]] [[User Role|role]] in your [[SmartSimple]] [[instance]] must be '''System Administrator.'''=Configuration=* Access to a mobile device with a twoTo toggle on multi-factor authentication tool installed, such as Duo or Google Authenticator (available in Google Play and App Store). If you have not already downloaded an authentication app onto your mobile device, please do so prior to following the follow these steps in the rest of the article.:
==Configuring a Role :# Navigate to Use Multi-Factor Authentication=='''Multi-Factor Authentication Global Settings''' > '''is configured by [[User Role]]. For best practice, it is recommended to specifically create Security'''Multi-Factor Authentication > '''as a new role Password and add it Activation Policies''':# Scroll to the existing users. While '''Multi-Factor Authentication Authentication Options'''can be added to an existing role, it is not recommended because it will become more complex to manage. <br />For roles that have this feature enabled, the use of and toggle on '''Enable Multi-Factor Authentication Authentication'''becomes mandatory:# Specify the roles that require authentication via TOTP and/or Verification Code. This involves a drastic change in user experienceIf the same role is added to both methods, so SmartSimple recommends that this action only TOTP will be rolled out to users in small groups at the beginning of the processused.
The first step of '''<u>NOTE:</u>''' If you select the implementation process is '''Everyone''' option, you do not need to create update this role in your [[SmartSimple]] [[instance]]setting when new roles are created.
Follow the steps below in order to configure a [[User Role|user role]] to '''Multi-Factor Authentication: '''
1. Click on the 9-square menu icon on the top right of your page.
:: [[File:2factor roles.png|220px|border]]==Time-Based One-Time Password (TOTP) Implementation==3. Click on the first hyperlink labelled '''User RolesA time-based one-time password can be generated using an authentication device (such as a mobile phone) in order to allow for an additional security step to authenticate logins.'''
The list of available ===Setting up TOTP Multi-Factor Authentication for Specific Roles===:# In your SmartSimple instance (logged in as Global Admin), go to''' Menu Icon''' > '''Global Settings'''.<br /> [[User RoleFile:GlobalSettings5.png|thumb|none|800px|user rolesThe <strong>Global Settings</strong> link under the main menu]] in your system will :# Go to the Security tab > '''Password and Activation Policies > '''Under “Authentication Options”, toggle on '''Enable Multi-Factor Authentication (MFA)'''.:# In the setting '''Roles with Time-Based One-Time Password (TOTP),''' include the roles that you want to enable multi-factor authentication for.:# Toggle on '''Enable Trusted Device''' if you would like users to be displayedable to bypass entering a code for a time period after the code has been successfully entered. If enabled, also enter the time period until the authentication bypass expires.:# Scroll to the bottom of the page and click '''Save'''.
4===Logging in the First Time with TOTP===In order to use TOTP effectively, users must first download an authenticator application onto their mobile devices. Click Popular authentication apps include [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_CA&gl=US&pli=1 Google Authenticator], [https://www.microsoft.com/en-us/security/mobile-authenticator-app Microsoft Authenticator], or [https://play.google.com/store/apps/details?id=com.twofasapp 2FAS].When logging into the system for the first time after TOTP has been activated on the '''+ icon ''the user'on s role, the top left in order to '''Create a New Role. '''user must first follow these steps:
* :# Navigate to the user's profile who wishes to have TOTP credentials reset.:# From the '''Name: Actions'''2 Factor Authentication (for clarification of the role purpose) * dropdown, select '''Caption: Edit Roles and Access'''2 Factor Authentication (as .:# In the caption is typically following modal window, select the same or similar to the button labeled '''NameReset TOTP''') . <br /> [[File:ResetButton.png|thumb|none|800px]]* :# The user may now login as normal, following the prompts on the subsequent '''Description: Set Up Multi-Factor Authentication'''TOTP (for clarification of the role purpose) screen.
5. ===Determining Which Roles Can Reset TOTP===:# In the your SmartSimple instance (logged in as a '''Global Administrator''Two Factor Authentication ') in the '''Main Menu'''field, select '''Global Settings'''.<br /> [[File:GlobalSettings5.png|thumb|none|800px| The <strong>Global Settings</strong> link under the main menu]]:# Navigate to the '''Users''' tab and click into it and select '''Roles'''.:# '''Edit''' the role that you would like to grant the ability to reset TOTP on behalf of other users. For security best practice, this role should be an internal role only.:# Select the '''Permissions''' tab.:# In the option field '''Time-based One-time Password (Roles this role can reset TOTP for''', select the other roles that this role can reset TOTP)on behalf of. <br /> [[File:RolesTOTPReset.png|thumb|none|800px]]:# Click '''Save'''.
* '''Note''': If you select ==Single-Use Verification Code Implementation==A single-use verification code is a uniquely generated number that is sent to the '''None '''option, this means that '''t'''here will be no two-factor authentication enabled for this user rolevia an email or SMS text. When someone with this Since verification codes typically expire within a few minutes, each time the user role tries to enter logs into the system, they are able to successfully log in by inputting just will be prompted for their correct username and password combosingle-use code.
6===Setting up Verification Codes for Email===<pre>Note: If you are using the SMTP Relay with an IP restriction for sending emails, ensure the IP of your environments (backup, testing, production) is in your IP list. Click the '''Save '''button at If you need to help with identifying the bottom IPs of the pageyour environments or have questions, reach out to our support team.</pre>
To check that your # Go to '''Menu Icon''' > '''Global Settings''' > '''Security''' tab > '''Password and Activation Policies''' and then scroll down to the section marked '''Authentication Options'''.# Toggle on '''Enable Multi-Factor Authentication'''. You will see additional settings displayed for different authentication methods. # Under the '''Roles with Verification Code via SMS or Email''' setting, you will need to decide which roles need to be authenticated via a verification code sent through the email address used for login. Click the '''Save''' button at the bottom of the page to activate changes.<br /> [[File:2022-11-ticket-139210-3.png|thumb|none|800px| Adding a specific role has been successfully added: for SMS or email verification]]
1. Click the '''list icon '''===Logging in with a Verification Code from Email===When a user has been assigned a role that requires a verification code, they can login using the top left row of buttons on the '''2 Factor Authentication '''Role page. following steps:
:: # When the user logs in using their email and password, they will be taken to a page where they can click a button labelled '''Send Code by Email.''' <br /> [[File:Return to user roles2022-11-ticket-139210-4.png|90pxthumb|none|800px|borderThe multi-factor authentication page lets the user choose between receiving the verification code via email or SMS (if applicable)]]2# They will be prompted to enter a verification code that was sent to their email. <br /> [[File:2022-11-ticket-139210-4a. This png|thumb|none|800px| The user will bring you be prompted to enter a verifcation code sent to their email address]]# The user must open their email to copy the verification code. <br /> [[List View OverviewFile:2022-11-ticket-139210-5.png|listthumb|none|800px| A sample email containing a temporary verification code]] of all user roles in # Enter the verification code into the system once more. You should now see the field and then click '''2 Factor Authentication Submit'''role listedto finish authentication and log in to the system. <br /> [[File:2022-11-ticket-139210-9. png|thumb|none|800px| Entering the temporary verification code into the verification field]]
:: ===Setting up Verification Codes for SMS===SMS (text messaging) is paid service that must be enabled for you by SmartSimple. Contact Support or your account representative for more details. SmartSimple will enable SMS services by going to '''Menu Icon''' > '''Global Settings''' > '''Communications''' tab > Toggle on '''Enable SMS Notification'''. Ensure that the target users have an active mobile number filled into this standard field. If the phone number field is empty, users will not be able to receive any SMS messages for login.[[File:2factor role2022-11-ticket-139210-8.png|600pxthumb|bordernone|800px]]Once you see your newly created role among the list of user roles, then the role has been successfully added and is saved into the system.
For this process==Bypassing Multi-Factor Authentication for Single Sign-On==If multi-factor authentication has been enabled, you should remain it can be bypassed for users logging in via single sign-on the (SSO). To bypass MFA, go to '''Global Settings''' > '''Integrations''' tab > '''2 Factor Authentication Single Sign-On'''Role page. To do so, click the > Edit an SSO setting > Toggle on '''pencil icon Bypass Multi-Factor Authentication (MFA) when logging in with Single Sign-On (SSO)'''next to .[[File:SSO-Bypass-MFA.png|thumb|none|800px| Multi-factor authentication can be bypassed in the role name single sign-on the list of user roles.settings]]
1==Setting up a Default Email Address==If you are using SMTP relay and/or have a dedicated instance (your own domain), make sure you have set up the default email address and that the default email address matches your domain. On the left-hand side will Otherwise your default email address should be a menu: click into the tab titled set to '''Current Usersdonotreply@smartsimplemailer. com'''. Follow these steps to set up a default email address:
:: [[File:2factor current users.png|500px|border]]# Go to '''Menu''' icon > '''Global Settings''' > '''Communications''' tab2. The list of current users associated with this role will be displayed. If you have just created this role, there will be no users listed. # Click '''Email Options and Security'''# Toggle on '''Enable Default From Address'''# Enter your desired '''From Address'''# Click '''Save'''
Click the '''+ icon '''on the top left above the list in order to '''Add a User '''to the role.
:: [[File:2factor add userdefault-email.png|70pxthumb|none|border]]3. A list of all available [[User800px|usersSet up a default email address to help ensure that verification emails do not get blocked by the SMTP relay]] in your system will be displayed in a modal window.
:: [[File:2factor add user to rolel.png=Settings Explained={| class="wikitable"|-|750px|border]] Select which users you would like to add to the role by checking the box next to their name in the list. '''Setting'''
4. Click ||'''Add Description'''at the bottom of the page.
5. Any selected users will now be displayed in the list of |-||'''Current Users '''for the '''2 Enable Multi-Factor Authentication Authentication'''role.
:: [[File:2factor current users list.png|700px|border]]==Activating Users with Multi-Factor Authentication==After you Enables MFA for the entire instance but does not have both added a '''2 Factor Authentication '''role and added '''Users '''into that role, the next step is to activate those users. First, update the '''Activation Email Template '''in your [[SmartSimple]] system. 1. Click on the 9-square menu icon on the top right of the page. :: {{Icon-Menu}} 2. Under the heading '''Configuration, '''select '''Global Settingsany impact unless user roles are specified. '''
:: [[File:Menu and global settings.png|500px|border]]
3. Click into the '''Security '''tab.
4. Under the subheading '''Business Security Settings, '''select '''Password and Activation Policies.'''
:: [[File:Password and activation policies global settings.png|500px|border]]
5. Click into the second tab labelled '''Activation Email Templates. '''Ensure that the '''New User '''and '''Request Password '''templates contain an activation link (which should be denoted as https://@url@@activationlink@), and '''do not '''contain a temporary password, as in the example below:
:: [[File:2factor email template.png|500px|border]]
6. Save the template and return to the '''General '''tab in '''Password and Activation Policies.'''
7. Scroll until you find the field for '''Password Activation Settings '''- set the '''Activation link life span '''to '''24 hours'''.
:: [[File:2factor activation link.png|250px|border]]
8. Click '''Save. '''
For the next series of steps, return to the '''2 Factor Authentication''' role page ('''Roles and Security''' > '''User Roles''').
1. Go into the '''Current Users '''tab from the left-hand side menu.
2. Select one or more users from the '''Current Users '''list by checking the box next to their name; the following buttons will appear:
:: [[File:2factor buttons.png|200px|border]]
{| class="wikitable"
'''+ icon'''||Associates one or more roles with authentication proven through an authenticator app such as Google or Microsoft Authenticator.
||As mentioned previously, clicking this button will allow you to select from the total list of users in your [[SmartSimple]] [[instance]] to add into this role.
'''| style="border- icon'''color: #;"|Associates one or more roles with authentication proved through either email or an SMS message. The user can choose at the point of verification to receive an email containing the one-time code or an SMS message containing the one-time code. SMS must be enabled by SmartSimple and will incur an additional cost. Please speak to Support or your account manager for more information.
||Clicking this button will allow you to remove the selected user(s) from this role.
'''reload icon'''||This option is used to bypass MFA authentication for specific roles on specific devices.
||Clicking the''' Update Geocode '''button will allow you to update the geocode (provision of geographical coordinates tied to user's inputted locations). This would be in the use-case of a contact who is using a new mobile device.
'''key icon'''||Sets the frequency of the MFA prompt, based on the number of days specified. If the number is set to one, the user will be prompted every day for an MFA verification code. If its set to five, then the user will be prompted every five days.
||Clicking this button will allow you to send passwords to the selected user(s). This will trigger an activation email to the user, including their activation link for login.
3. Click on the '''key icon '''next to '''Send Password '''to the selected users.
==Logging in with Multi-Factor Authentication==
Once a user has been re-activated in the system, they should receive an email with an activation link. The reason that we have re-activated these users is because they were added to the '''Two Factor Authentication '''role that specifically impacts the login and activation process into your [[SmartSimple]] system.
The activation link their email will direct to a login screen that will display the account activation page. This screen includes fields to create and confirm a new password, CAPTCHA validation if required, and a '''QR code. '''
===Validating the QR Code===
If this is the first time the user has had a code generated then the screen should include a '''QR Code''' that can be scanned using Google Authenticator. The actual authentication code is also provided in case there are issues with the use of Google Authenticator.
[[Image:EnableTwoFactor 3.png|500px|border]]
* If the user has an existing QA Code then the user can click a button to generate a new code and re-sync or can proceed to the login page.
Users will then be prompted to enter the one-time code after entering their user name and password. <br />
[[Image:EnableTwoFactor3.png|500px|border]]
Enter your code including spaces along with your password and click '''Submit.'''
Once a user has undergone this last step of actually scanning the '''QR Code '''and inputting the generated code for authentication, they have been activated successfully with '''Multi-Factor Authentication '''into your [[SmartSimple]] system.
==Tips==
* Best practice is to create a '''Multi-Factor Authentication '''role and add this role ''to ''existing users.
* Be aware that this authentication process is a complete change in user experience. We recommend testing in small batches, or on individual users, prior to applying this role to a large group of users.
* When beginning this process, add this role to individual users for testing.
* Codes must include spaces to correctly validate
* Each code must be entered prior to expiry in the Authenticator app.
* In the interest of time, it is best to complete '''CAPTCHA validation''' prior to entering Authenticator code.
* In the event of a user using a new device, the code can be re-generated and an activation email re-sent to the user.
* Ensure that the email templates '''do not '''contain a temporary password - this will interfere with the activation link functionality.
* Make sure to re-save '''Activation link life-span '''to '''24 hours '''during setup to give users a reasonable amount of time to log into the system,
* If both [[Single Sign-On]] and Multi-Factor Authentication are in use, there is a Single Sign-On setting option that will control whether or not Multi-Factor Authentication will be required when a user authenticates via SSO.
==See Also==
* [[User Role]]s
→Overview
=Overview=
* '''MultiTime-Factor Authentication based One-Time Password (TOTP) '''via an authenticator app, which is a required component of maintaining [[SmartSimple]]'s SOC2 security status. SmartSimple supports two different more secure and suitable for users with increased access such as global administrators or internal staff* '''Multi-Factor Authentication Single Use Verification Code '''approaches: sent via email or SMS, which is better suited for external users or users who login infrequently
[[File:: {{IconAuthentication Options.png|thumb|none|800px|Authentication options for time-based one-Menu}} 2. Under the heading '''Configuration, '''select '''Roles time passwords (TOTP) and Security.'''verification codes via email or SMS]]
:# If user has TOTP enabled on their account, they will be presented with the following screen the next time they log in: <br /> [[File:2factor create MFASetupTOTP.png|thumb|none|800px|TOTP setup page with instructions]]:# Follow the instructions listed on the screen. Start by installing an authenticator app on your mobile device. :# On your mobile device, open the authenticator app and select the option to add a new user roledevice or scan a QR code. Each app will have different actions. <br /> [[File:ScanQR.jpg|thumb|none|800px| Interface for Google Authenticator]]:# The app may prompt you for a QR code or a secret key. Back on your SmartSimple MFA setup page, click the button labeled '''Show TOTP Key and QR Code'''. This will reveal the QR and secret key used with an authentication app. <br /> [[File:QRandSecretCodeScreen.png|500pxthumb|bordernone|800px|<strong>TOTP QR Code</strong> and <strong>TOTP Secret Key</strong> revealed]]:# Use the mobile app to scan the QR code or manually enter the secret key into the app. Once complete, a new device will be added to your list in the app. 4:# The mobile app will generate a time-based verification code. The Enter this code into the field labelled '''New Role Enter Verification Code''' on the setup page will be displayed. :# Click '''Submit. '''
===If the Mobile Device Associated with TOTP is Misplaced===<pre>NOTE:: [[File:2factor new If a mobile device associated with TOTP is misplaced, the TOTP must be reset by a Global Administrator or by a user in a rolewith the permission to reset the TOTP for other user roles.png|500px|border]] </pre>Fill out In the case of a user's device being misplaced, the following detailssteps will allow an internal user in the roles listed above to reset a user's TOTP:
The page will refresh with easiest way to set up MFA is through the role saved into the systememail that was used for user registration and login.
==Adding Users to New Role=Logging in with a Verification Codes for SMS===Once you have added # When the user logs in, they will be presented with the option to receive a verification code via email or through SMS. The user can click '''2 Factor Authentication Send Code by Text Message'''role (. <br /> [[File:2022-11-ticket-139210-6.png|thumb|none|800px| Users have the option of receiving the code via email or through SMS]]# The user can check their mobile messages, enter the code into the field, and configured then click '''TOTP Submit'''to finish authentication and log in to the role details)system. <br /> [[File:2022-11-ticket-139210-7.png|thumb|none|800px| Once the verification code has been sent, then the next step is user will be prompted to add existing [[SmartSimple]enter the code into the verification field] [[User|users]] into that role.
|-
||
'''Add UserRoles with Time-based One-time Password (sTOTP) '''
|-
||
'''Remove User(s)Roles with Verification Code via SMS or Email'''
|-
||
'''Update GeocodeEnable Trusted Device'''
|-
||
'''Send PasswordTrusted Device Expiry'''
|}
=See Also=
:* [[User Role]]s
[[Category:Security]]