=Overview=
When using '''TwoMulti-Factor Authentication, '''each new user can use the Google Authenticator app to obtain one-time passwords which are calculated from time and/or event-based algorithms.
Most websites that a user can log into require a username and password, both "known" by the individual in order to log in. In short, this means that anyone who knows the correct username and password combination for a unique account can log into that account; thus, there is very little that can be done to identify that the individual logging is is actually the individual who owns the account.
The '''TwoMulti-Factor Authentication '''function provides a second factor - this can be something that someone has (for example, an access card) or some unique property of that person (for example, a fingerprint, or a code sent to a personal mobile device).
The security impact of the '''TwoMulti-Factor Authentication '''is that while a user may lose an access card or get duped into sharing a password, the odds of both happening to a single user are dramatically reduced. Using '''TwoMulti-Factor Authentication '''therefore enhances an organization's ability to ensure that no one is using illegitimate means to gain access.
'''TwoMulti-Factor Authentication '''is a required component of maintaining [[SmartSimple]]'s SOC2 security status. SmartSimple supports two different '''TwoMulti-Factor Authentication '''approaches:
* '''TOTP '''([https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm Time-based One-Time Password]) - this technique uses an authentication app that is installed on a mobile phone
<pre>This article deals specifically with the TOTP protocol. To learn more about the RSA Disconnected Token protocol and its related costs, please contact your account manager. </pre>
==Prerequisites==
In order to configure '''TwoMulti-Factor Authentication, '''you will need to have the following:
* [[Global User Administrator|System Administrator]] access - your [[User|user]] [[User Role|role]] in your [[SmartSimple]] [[instance]] must be '''System Administrator.'''
* Access to a mobile device with a two-factor authentication tool installed, such as Duo or Google Authenticator (available in Google Play and App Store). If you have not already downloaded an authentication app onto your mobile device, please do so prior to following the steps in the rest of the article.
==Configuring a Role to Use TwoMulti-Factor Authentication=='''TwoMulti-Factor Authentication '''is configured by [[User Role]]. For best practice, it is recommended to specifically create '''TwoMulti-Factor Authentication '''as a new role and add it to the existing users. While '''TwoMulti-Factor Authentication '''can be added to an existing role, it is not recommended because it will become more complex to manage. <br />For roles that have this feature enabled, the use of '''TwoMulti-Factor Authentication '''becomes mandatory. This involves a drastic change in user experience, so SmartSimple recommends that this action be rolled out to users in small groups at the beginning of the process.
The first step of the implementation process is to create this role in your [[SmartSimple]] [[instance]].
Follow the steps below in order to configure a [[User Role|user role]] to '''TwoMulti-Factor Authentication: '''
1. Click on the 9-square menu icon on the top right of your page.
:: [[File:2factor current users list.png|700px|border]]
==Activating Users with TwoMulti-Factor Authentication==
After you have both added a '''2 Factor Authentication '''role and added '''Users '''into that role, the next step is to activate those users.
3. Click on the '''key icon '''next to '''Send Password '''to the selected users.
==Logging in with TwoMulti-Factor Authentication==
Once a user has been re-activated in the system, they should receive an email with an activation link. The reason that we have re-activated these users is because they were added to the '''Two Factor Authentication '''role that specifically impacts the login and activation process into your [[SmartSimple]] system.
Enter your code including spaces along with your password and click '''Submit.'''
Once a user has undergone this last step of actually scanning the '''QR Code '''and inputting the generated code for authentication, they have been activated successfully with '''TwoMulti-Factor Authentication '''into your [[SmartSimple]] system.
==Tips==
* Best practice is to create a '''TwoMulti-Factor Authentication '''role and add this role ''to ''existing users.
* Be aware that this authentication process is a complete change in user experience. We recommend testing in small batches, or on individual users, prior to applying this role to a large group of users.
* When beginning this process, add this role to individual users for testing.
* Ensure that the email templates '''do not '''contain a temporary password - this will interfere with the activation link functionality.
* Make sure to re-save '''Activation link life-span '''to '''24 hours '''during setup to give users a reasonable amount of time to log into the system,
* If both [[Single Sign-On]] and TwoMulti-Factor Authentication are in use, there is a Single Sign-On setting option that will control whether or not TwoMulti-Factor Authentication will be required when a user authenticates via SSO.
==See Also==