Changes

'''Multi-Factor Authentication(MFA)''' is a method of authentication in which a user is granted access to your SmartSimple Cloud system only after successfully presenting two or more pieces of evidence to an authentication mechanism.

The security impact of '''Multi-Factor Authentication (MFA)''' is MFA is that while a user may might lose an access card their authentication device or get tricked into sharing a password, the odds of both happening to a single user are dramatically reduced. Using MFA therefore enhances an organization's ability to ensure that no one is using illegitimate means security by requiring users to gain accessidentify themselves with more than their login credentials. 

SmartSimple Cloud supports two different approaches to '''Multi-Factor Authentication'''ways of implementing MFA:

* '''Time-based One-Time Password (TOTP) ''' via via an authenticator app., which is more secure and suitable for users with increased access such as global administrators or internal staff* '''Single Use Verification Code '''sent via email or SMS, which is better suited for external users or users who login infrequently

'''Note:: No additional configuration steps required ''' MFA and password reset emails are sent from non-production environments as of the March 2023 upgrade. If you wish to add role restrictions for this type of access to your backup environment, the setting is located at '''Menu''' icon > '''Global Settings''' > '''Security '''tab > '''System Feature Permissions''' > '''Feature''' tab > '''Restrict Login to Backup Environment to these Roles'''. When testing MFAand password reset emails on non-production environments, always use a test user and test email. =Configuration - Essentials=All settings related to multiTo toggle on multi-factor authentication are in a single locationauthentication, follow these steps:

:# Specify the roles that require authentication via TOTP and/or Verification Code. If the same role is added to both methods, only TOTP will be used.         '''<u>NOTE:</u>''' If you select the '''Everyone''' option, you do not need to update this setting when new roles are created.   [[File:Authentication Options.png|thumb|none|800px|Authentication options for time-based one-time passwords (TOTP) and verification codes via email or SMS]] ==Time-Based One-Time Password (TOTP) Implementation==A time-based one-time password can be generated using an authentication device (such as a mobile phone) in order to allow for an additional security step to authenticate logins. ===Setting up TOTP Multi-Factor Authentication for Specific Roles===:# In your SmartSimple instance (logged in as Global Admin), go to''' Menu Icon''' > '''Global Settings'''.<br /> [[File:GlobalSettings5.png|thumb|none|800px|The <strong>Global Settings</strong> link under the main menu]]:# Go to the Security tab > '''Password and Activation Policies > '''Under “Authentication Options”, toggle on '''Enable Multi-Factor Authentication (MFA)'''.:# In the setting '''Roles with Time-Based One-Time Password (TOTP),''' include the roles that you want to enable multi-factor authentication for.:# Toggle on '''Enable Trusted Device''' if you would like users to be able to bypass entering a code for a time period after the code has been successfully entered. If enabled, also enter the time period until the authentication bypass expires.:# Scroll to the bottom of the page and click '''Save'''.

        '''<u>NOTE===Logging in the First Time with TOTP===In order to use TOTP effectively, users must first download an authenticator application onto their mobile devices. Popular authentication apps include [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_CA&gl=US&pli=1 Google Authenticator], [https://www.microsoft.com/en-us/security/mobile-authenticator-app Microsoft Authenticator], or [https:</u>''' If new roles are added to /play.google.com/store/apps/details?id=com.twofasapp 2FAS].When logging into the systemfor the first time after TOTP has been activated on the user's role, the MFA configuration user must also be updated first follow these steps:

:# Navigate to the user's profile who wishes to have TOTP credentials reset.:# From the '''Actions''' dropdown, select '''Edit Roles and Access'''.:# In the following modal window, select the button labeled '''Reset TOTP'''. <br /> [[File:ResetButton.png|thumb|none|800px]]:# The user may now login as normal, following the prompts on the subsequent '''Set Up Multi-Factor Authentication Options''' screen. ===Determining Which Roles Can Reset TOTP===:# In your SmartSimple instance (logged in as a '''Global Administrator''') in the '''Main Menu''', select '''Global Settings'''.<br /> [[File:GlobalSettings5.png|thumb|none|800px|Authentication OptionsThe <strong>Global Settings</strong> link under the main menu]]:# Navigate to the '''Users''' tab and click '''Roles'''.:# '''Edit''' the role that you would like to grant the ability to reset TOTP on behalf of other users. For security best practice, this role should be an internal role only.:# Select the '''Permissions''' tab.:# In the field '''Roles this role can reset TOTP for''', select the other roles that this role can reset TOTP on behalf of. <br /> [[File:RolesTOTPReset.png|thumb|none|800px]]:# Click '''Save'''. ==Single-Use Verification Code Implementation==A single-use verification code is a uniquely generated number that is sent to the user via an email or SMS text. Since verification codes typically expire within a few minutes, each time the user logs into the system, they will be prompted for their single-use code.

<pre>Note: If you are using the SMTP Relay with an IP restriction for sending emails, ensure the IP of your environments (backup, testing, production) is in your IP list. If you need to help with identifying the IPs of your environments or have questions, reach out to our support team.</pre> The easiest way to set up MFA is through the email that was used for user registration and login. Be sure to follow the instructions carefully to avoid accidentally locking yourself or others out of their accounts.

# Under the '''Roles with Verification Code via SMS or Email''' setting, you will need to decide which roles need to be authenticated via a verification code sent through the email address used for login. Ensure that users assigned to this role have not opted out of receiving system emails. Click the '''Save''' button at the bottom of the page to activate changes.<br /> [[File:2022-11-ticket-139210-3.png|thumb|none|500px800px| Adding a specific role for SMS or email verification]] 

# When the user logs in using their email and password, they will be taken to a page where they can click a button labelled '''Send Code by Email.''' <br /> [[File:2022-11-ticket-139210-4.png|thumb|none|800px| The multi-factor authentication page lets the user choose between receiving the verification code via email or SMS (if applicable)]]# They will be prompted to enter a verification code that was sent to their email. <br /> [[File:2022-11-ticket-139210-44a.png|thumb|none|500px800px| The user will be prompted to enter a verifcation code sent to their email address]]# The user can check must open their email to copy the verification numbercode. <br /> [[File:2022-11-ticket-139210-5.png|thumb|none|500px800px| A sample email containing a temporary verification code]]# Enter the verification code into the field and then click '''Submit''' to finish authenticated loginauthentication and log in to the system. <br /> [[File:2022-11-ticket-139210-9.png|thumb|none|800px| Entering the temporary verification code into the verification field]]

In order SMS (text messaging) is paid service that must be enabled for users to receive SMS messages, a you by SmartSimple. Contact Support or your account representative for more details. SmartSimple administrator must first will enable SMS services by going to '''Menu Icon''' > '''Global Settings''' > '''Communications''' tab > Toggle on '''Enable SMS Notification'''. Ensure that the target users have an active mobile number filled into this standard field. If the phone number field is empty, users will not be able to receive any SMS messages for login and may be locked out of their accounts once activated. [[File:2022-11-ticket-139210-8.png|thumb|none|500px800px]]

# When the user logs in, they will be presented with the option to receive a verification code via email (if available) or through SMS. The user can click '''Send Code by Text Message'''. <br /> [[File:2022-11-ticket-139210-6.png|thumb|none|500px800px| Users have the option of receiving the code via email or through SMS]]# The user can check their mobile messages, enter the code into the field, and then click '''Submit''' to finish authenticated loginauthentication and log in to the system. <br /> [[File:2022-11-ticket-139210-7.png|thumb|none|500px]] =Configuration - Advanced====Setting up a Time-Based One-Time Password (TOTP) For Existing Users=== <strong>NOTE:</strong> Before enabling MFA for use with TOTP, all existing users with roles intended for TOTP must first scan their <strong>TOTP Secret Key</strong> or <strong>TOTP QR Code</strong> into an authenticator app.In order to use TOTP effectively, users must first download an authenticator application onto their mobile devices. Popular authentication apps include [https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2&hl=en_CA&gl=US&pli=1 Google Authenticator], [https://www.microsoft.com/en-us/security/mobile-authenticator-app Microsoft Authenticator], or [https://play.google.com/store/apps/details?id=com.twofasapp 2FAS]. 800px| Once downloaded, the following steps will allow the user to sync their SmartSimple account with their mobile authentication application: :# Go to '''User Menu''' > '''Personal Settings''' <br /> [[Image:PersonalSettingsUserMenu.png|200px]]:# Select the '''Security''' tab in the following modal window. <br /> [[Image:MFAQR.png|500px]]:# On your mobile device, open the authenticator app and select “Add new device” or similar. Then select “Scan QR Code” or similar. <br /> [[Image:ScanQR.jpg|500px]]:# Using the scanner within the mobile app, scan the '''TOTP QR Code''' found under your '''Personal Settings'''.:# A new device should be added to your list. Alternatively, you could also use the '''TOTP Secret Key''' as opposed to the '''TOTP QR Code'''.:# In your SmartSimple instance, in the '''Configuration Menu''' (9-Square Grid Icon), select '''Global Settings'''.<br /> [[Image:GlobalSettings5.png|250px]]:# Select the '''Security''' Tab from the Global Settings.:# Click '''Password and Activation Policies'''.:# Under “Authentication Options”, toggle on '''Enable Multi-Factor Authentication (MFA)'''.:# In the setting '''Roles with Time-Based One-Time Password (TOTP)''' include the roles that you will be adding 2-Factor Authentication for. Note that the existing users in these roles must first scan the QR Code on their mobile device before this setting should be toggled on.:# Toggle on '''Enable Trusted Device''' if you would like users to be able to bypass entering a code for a time period after the verification code has been successfully entered. If enabledsent, also enter the time period that the 2-Factor Authentication user will be bypassed for trusted users.:# Scroll prompted to enter the bottom of the page and click '''Save'''.:# To test your MFA, log out of your account, and then log back in. You should now see a page following login called “Multi-Factor Authentication.” Enter the password in the Authenticator app here, and access will be granted code into the system. <br /> [[Image:MFAScreen.png|500pxverification field]]

===Logging in the First Time with TOTP Bypassing Multi-Factor Authentication for Existing Users=Single Sign-On==:# From the login screen select the "Forgot Password" link and enter the email used If multi-factor authentication has been enabled, it can be bypassed for users logging in via single sign-on (SSO). To bypass MFA, go to login to your system'''Global Settings''' > '''Integrations''' tab > '''Single Sign-On''' > Edit an SSO setting > Toggle on '''Bypass Multi-Factor Authentication (MFA) when logging in with Single Sign-On (SSO)'''.[[File:# In the email received select the activation link:# You will SSO-Bypass-MFA.png|thumb|none|800px| Multi-factor authentication can be taken to bypassed in the following screen:single sign-on settings]]

[[Image==Setting up a Default Email Address==If you are using SMTP relay and/or have a dedicated instance (your own domain), make sure you have set up the default email address and that the default email address matches your domain. Otherwise your default email address should be set to '''donotreply@smartsimplemailer.com'''. Follow these steps to set up a default email address:AccountActivationTOTP.png|500px]]

[[File:* Enter in your new password and use the steps in the previous section above default-email.png|thumb|none|800px|Set up a default email address to link to your authenticator app using help ensure that verification emails do not get blocked by the QR code at this time before submitting.SMTP relay]]

Associates one or more roles with authentication proved through either email or an SMS message. The user can choose at the point of verification to receive an email containing the one-time-code or an SMS message containing the one-time code. SMS must be enabled by SmartSimple and will incur an additional cost. Please speak to Support or your account manager for more information.

This option is used to enable the trusted device feature. If this option is selected then every user (via their role) associated with bypass MFA will not be prompted every time they attempt to log into the systemauthentication for specific roles on specific devices. 

Sets the frequency of the MFA prompt, based on the number of days specified. If the number is set to one, the user will be prompted every day for an MFA verification code, if . If its set to five , then the user will be prompted every five days.