Smartstaff
2,091
edits
Changes
m
<strongpre>NOTE:</strong> If a mobile device associated with TOTP is misplaced, the TOTP must be reset by a Global Administrator or by a user in a role with the permission to reset the TOTP for other user roles.</pre>
→Overview
=Overview=
'''Multi-Factor Authentication(MFA)''' is a method of authentication in which a user is granted access to your SmartSimple Cloud system only after successfully presenting two or more pieces of evidence to an authentication mechanism.
The security impact of '''Multi-Factor Authentication (MFA)''' is MFA is that while a user might lose their authentication device or get tricked into sharing a password, the odds of both happening to a single user are dramatically reduced. Using MFA therefore enhances an organization's security by requiring users to identify themselves with more than their login credentials.
SmartSimple Cloud supports two ways of implementing '''Multi-Factor Authentication'''implementing MFA:
* '''Time-based One-Time Password (TOTP) '''via an authenticator app, which is more secure and suitable for users with increased access such as global administrators or internal staff
* '''Single Use Verification Code '''sent via email or SMS, which is better suited for external users or users who login infrequently infrequently '''Note:''' MFA and password reset emails are sent from non-production environments as of the March 2023 upgrade. If you wish to add role restrictions for access to your backup environment, the setting is located at '''Menu''' icon > '''Global Settings''' > '''Security '''tab > '''System Feature Permissions''' > '''Feature''' tab > '''Restrict Login to Backup Environment to these Roles'''. When testing MFA and password reset emails on non-production environments, always use a test user and test email.
=Configuration=
To toggle on multi-factor authentication, follow these steps:
:# Navigate to '''Global Settings''' > '''Security''' > '''Password and Activation Policies'''
:# Scroll to''' Authentication Options''' and toggle on '''Enable Multi-Factor Authentication'''
:# Specify the roles that require authentication via TOTP and/or Verification Code. If the same role is added to both methods, only TOTP will be used.
'''<u>NOTE:</u>''' If you select the '''Everyone''' option, you do not need to update this setting when new roles are added to the system, the MFA configuration must also be updated created.
:# Follow the instructions listed on the screen. Start by installing an authenticator app on your mobile device.
:# On your mobile device, open the authenticator app and select the option to add a new device or scan a QR code. Each app will have different actions. <br /> [[File:ScanQR.jpg|thumb|none|800px| Interface for Google Authenticator]]
:# The app may prompt you for a QR code or a setup secret key. Back on your SmartSimple MFA setup page, click the button labeled '''Show TOTP Key and QR Code'''. This will reveal the QR and secret key used with an authentication app. <br /> [[File:QRandSecretCodeScreen.png|thumb|none|800px|<strong>TOTP QR Code</strong> and <strong>TOTP Secret Key</strong> revealed]]
:# Use the mobile app to scan the QR code or manually enter the secret key into the app. Once complete, a new device will be added to your list in the app.
:# The mobile app will generate a time-based verification code. Enter this code into the field labelled '''Enter Verification Code''' on the setup page.
===If the Mobile Device Associated with TOTP is Misplaced===
In the case of a user's device being misplaced, the following steps will allow an internal user in the roles listed above to reset a user's TOTP:
===Setting up Verification Codes for Email===
<pre>Note: If you are using the SMTP Relay with an IP restriction for sending emails, ensure the IP of your environments (backup, testing, production) is in your IP list. If you need to help with identifying the IPs of your environments or have questions, reach out to our support team.</pre> The easiest way to set up MFA is through the email that was used for user registration and login. Be sure to follow the instructions carefully to avoid accidentally locking yourself or others out of their accounts.
# Go to '''Menu Icon''' > '''Global Settings''' > '''Security''' tab > '''Password and Activation Policies''' and then scroll down to the section marked '''Authentication Options'''.
# Toggle on '''Enable Multi-Factor Authentication'''. You will see additional settings displayed for different authentication methods.
# Under the '''Roles with Verification Code via SMS or Email''' setting, you will need to decide which roles need to be authenticated via a verification code sent through the email address used for login. Click the '''Save''' button at the bottom of the page to activate changes.<br /> [[File:2022-11-ticket-139210-3.png|thumb|none|800px| Adding a specific role for SMS or email verification]]
===Logging in with a Verification Code from Email===
When a user has been assigned a role that requires a verification code, they can login using the following steps:
# When the user logs in using their email and password, they will be taken to a page where they can click a button labelled '''Send Code by Email.'''# They will be prompted to enter a verification code that was sent to their email.<br /> [[File:2022-11-ticket-139210-4.png|thumb|none|800px| The multi-factor authentication page lets the user choose between receiving the verification code via email or SMS (if applicable)]]# They will be prompted to enter a verification code that was sent to their email. <br /> [[File:2022-11-ticket-139210-4a.png|thumb|none|800px| The user will be prompted to enter a verifcation code sent to their email address]]# The user can check must open their email to copy the verification numbercode. <br /> [[File:2022-11-ticket-139210-5.png|thumb|none|800px| A sample email containing a temporary passcodeverification code]]# Enter the verification code into the field and then click '''Submit''' to finish authenticated loginauthentication and log in to the system. <br /> [[File:2022-11-ticket-139210-9.png|thumb|none|800px| Entering the temporary passcode verification code into the verification field]]
===Setting up Verification Codes for SMS===
===Logging in with a Verification Codes for SMS===
# When the user logs in, they will be presented with the option to receive a verification code via email or through SMS. The user can click '''Send Code by Text Message'''. <br /> [[File:2022-11-ticket-139210-6.png|thumb|none|800px| Users have the option of receiving the code via email or through SMS]]
# The user can check their mobile messages, enter the code into the field, and then click '''Submit''' to finish authenticated loginauthentication and log in to the system. <br /> [[File:2022-11-ticket-139210-7.png|thumb|none|800px| Once the verification code has been sent, the user will be prompted to enter the code into the verification field]]
==Bypassing Multi-Factor Authentication for Single Sign-On==
If multi-factor authentication has been enabled, it can be bypassed for users logging in via single sign-on (SSO). To bypass MFA, go to '''Global Settings''' > '''Integrations''' tab > '''Single Sign-On''' > Edit an SSO setting > Toggle on '''Bypass Multi-Factor Authentication (MFA) when logging in with Single Sign-On (SSO)'''.
[[File:SSO-Bypass-MFA.png|thumb|none|800px| Multi-factor authentication can be bypassed in the single sign-on settings]]
==Setting up a Default Email Address==
If you are using SMTP relay and/or have a dedicated instance (your own domain), make sure you have set up the default email address and that the default email address matches your domain. Otherwise your default email address should be set to '''donotreply@smartsimplemailer.com'''. Follow these steps to set up a default email address:
# Go to '''Menu''' icon > '''Global Settings''' > '''Communications''' tab
# Click '''Email Options and Security'''
# Toggle on '''Enable Default From Address'''
# Enter your desired '''From Address'''
# Click '''Save'''
[[File:default-email.png|thumb|none|800px|Set up a default email address to help ensure that verification emails do not get blocked by the SMTP relay]]
=Settings Explained=
||
This option is used to used to bypass MFA authentication for specific roles on specific devices.
|-