Smartstaff
2,091
edits
Changes
m
<strongpre>NOTE:</strong> If a mobile device associated with TOTP is misplaced, the TOTP must be reset by a Global Administrator or by a user in a role with the permission to reset the TOTP for other user roles.</pre>
→Overview
=Overview=
'''Multi-Factor Authentication(MFA)''' is a method of authentication in which a user is granted access to your SmartSimple Cloud system only after successfully presenting two or more pieces of evidence to an authentication mechanism.
The security impact of '''Multi-Factor Authentication (MFA)''' is MFA is that while a user might lose their authentication device or get tricked into sharing a password, the odds of both happening to a single user are dramatically reduced. Using MFA therefore enhances an organization's security by requiring users to identify themselves with more than their login credentials.
SmartSimple Cloud supports two ways of implementing '''Multi-Factor Authentication'''implementing MFA:
* '''Time-based One-Time Password (TOTP) '''via an authenticator app, which is more secure and suitable for users with increased access such as global administrators or internal staff
* '''Single Use Verification Code '''sent via email or SMS, which is better suited for external users or users who login infrequently infrequently '''Note:''' MFA and password reset emails are sent from non-production environments as of the March 2023 upgrade. If you wish to add role restrictions for access to your backup environment, the setting is located at '''Menu''' icon > '''Global Settings''' > '''Security '''tab > '''System Feature Permissions''' > '''Feature''' tab > '''Restrict Login to Backup Environment to these Roles'''. When testing MFA and password reset emails on non-production environments, always use a test user and test email.
=Configuration=
:# Specify the roles that require authentication via TOTP and/or Verification Code. If the same role is added to both methods, only TOTP will be used.
'''<u>NOTE:</u>''' If you select the '''Everyone''' option , you do not need to update this setting when new roles are added created.
===If the Mobile Device Associated with TOTP is Misplaced===
In the case of a user's device being misplaced, the following steps will allow an internal user in the roles listed above to reset a user's TOTP:
===Setting up Verification Codes for Email===
<pre>Note: If you are using the SMTP Relay with an IP restriction for sending emails, ensure the IP of your environments (backup, testing, production) is in your IP list. If you need to help with identifying the IPs of your environments or have questions, reach out to our support team.</pre>
The easiest way to set up MFA is through the email that was used for user registration and login.
When a user has been assigned a role that requires a verification code, they can login using the following steps:
# When the user logs in using their email and password, they will be taken to a page where they can click a button labelled '''Send Code by Email.'''# They will be prompted to enter a verification code that was sent to their email.<br /> [[File:2022-11-ticket-139210-4.png|thumb|none|800px| The multi-factor authentication page lets the user choose between receiving the verification code via email or SMS (if applicable)]]# They will be prompted to enter a verification code that was sent to their email. <br /> [[File:2022-11-ticket-139210-4a.png|thumb|none|800px| The user will be prompted to enter a verifcation code sent to their email address]]
# The user must open their email to copy the verification code. <br /> [[File:2022-11-ticket-139210-5.png|thumb|none|800px| A sample email containing a temporary verification code]]
# Enter the verification code into the field and then click '''Submit''' to finish authentication and log in to the system. <br /> [[File:2022-11-ticket-139210-9.png|thumb|none|800px| Entering the temporary verification code into the verification field]]
If multi-factor authentication has been enabled, it can be bypassed for users logging in via single sign-on (SSO). To bypass MFA, go to '''Global Settings''' > '''Integrations''' tab > '''Single Sign-On''' > Edit an SSO setting > Toggle on '''Bypass Multi-Factor Authentication (MFA) when logging in with Single Sign-On (SSO)'''.
[[File:SSO-Bypass-MFA.png|thumb|none|800px| Multi-factor authentication can be bypassed in the single sign-on settings]]
==Setting up a Default Email Address==
If you are using SMTP relay and/or have a dedicated instance (your own domain), make sure you have set up the default email address and that the default email address matches your domain. Otherwise your default email address should be set to '''donotreply@smartsimplemailer.com'''. Follow these steps to set up a default email address:
# Go to '''Menu''' icon > '''Global Settings''' > '''Communications''' tab
# Click '''Email Options and Security'''
# Toggle on '''Enable Default From Address'''
# Enter your desired '''From Address'''
# Click '''Save'''
[[File:default-email.png|thumb|none|800px|Set up a default email address to help ensure that verification emails do not get blocked by the SMTP relay]]
=Settings Explained=