Administrator users can configure and control this feature both globally in their System Settings and using the “Additional Security” field against the user role according to their organisation’s policy. Current clients can opt-out prior to Monday 03 July 2023 by switching off the “Additional Sign-in Security” field in their system settings.
MFA enforcement functionality will also apply to aXcelerate’s mobile applications e.g. Learner, aXcelerate and Trainer Apps, depending on the role of the user who logs in.
Enforced MFA only applies to users who log in using their email addresses or their mobile numbers. It does not apply to users who log in using a single sign-on (SSO) e.g. Google, Facebook, Apple or a corporate Identity Provider (IDP) as any MFA requirements should be handled by the identity provider.
Another feature of the additional sign-in security is the ability for clients who use corporate IDPs like Azure Active Directory to specify that a user role must use the IDP to log in. This gives greater control and protection over access for specified user roles.
What is Multi-factor Authentication?
Multi-factor authentication (MFA) is a security process that requires users to provide multiple forms of identification in order to access a system or service. This involves using two or more authentication factors, which could include something the user knows e.g. a password or PIN, something the user has e.g. a security token or smart card, or something the user is e.g. a fingerprint or other biometric identification.
MFA is becoming increasingly common in both consumer and enterprise applications, as it provides a stronger defence against unauthorised access and helps to protect sensitive data and systems from attack.
By requiring multiple factors of authentication, MFA provides an additional layer of security beyond traditional password-based authentication. Even if a user's password is compromised, an attacker would still need to provide additional authentication factors in order to gain access to the system or service.
How to set up Multi-factor Authentication?
We recommend downloading an authenticator app prior to beginning the set-up process.
The QR code should only be scanned using an authenticator app, not your device camera or inbuilt QR code reader.
The first time a user logs in, they will be prompted to set up an MFA device or be reminded to later. aXcelerate recommends that users set up an MFA device immediately. The user uses an app on their phone, such as the Google Authenticator App or an equivalent, to scan the QR code, revealing a 6-digit code that they then enter to set up the device.
The default reminder/grace period is 7 days which the administrator can configure to be from 0 to 14 days. After the period ends, the user will not be able to access the aXcelerate system until they set up their MFA device.
After setting up their MFA device for the first time, the user will need to obtain the 6-digit code from their Authentication App or their equivalent for all subsequent logins.
As a result of the enforcement of MFA, users who have MFA enabled will no longer be able to sign in with the one-time code option.
To set up MFA follow the steps listed below:
Before commencing, download an Authenticator App on your phone, tablet or browser. For example, Microsoft Authenticator, Google Authenticator and other options are available options on the Apple App Store or Google Play Store.
- When prompted, select Authenticator in the Manage Account window
- Scan the QR Code with your selected Authenticator App and complete the linking process
- Enter the Verification Code displayed in your Authenticator App into the Authentication Code field
- Click Submit
What if a user loses their MFA device?
If a user loses their MFA device, their account can be recovered by another administrator. The administrator would need to independently verify the user’s identity to their own satisfaction and then edit their user profile within aXcelerate and remove their saved MFA device.
On removal, for auditing purposes, a system contact note will be added and the email address associated with the global account will be notified. Upon login, the user will then be prompted to register a new device for authentication.
Disabling Additional Sign-in Security
There are three ways to disable this feature.
- Disabled on a role-by-role basis, by setting Additional Security to None.
- Disabled on a System user level, by clicking on the Update (pencil) icon against the System User, and then clicking on the "Remove MFA" button
- Disabled at a system-level setting for the whole account. This system flag, called "Additional Sign-in Security'', is located in the Additional Options tab in System Settings.
Should MFA be desired again in the future, these steps can be reverted at any time. Please note that for best practice security, we recommend not opting out.
To disable by Role:
- Head to Settings > System Settings > System Users > Manage User Roles
- Select the pencil Update icon next to the User Role that requires MFA disabled
- Set the Additional Security option to "None"
To disable by System User:
- Head to Settings > System Settings > System Users
- Select the pencil Update icon next to the System User that requires MFA disabled
- Click on the "Remove MFA" button
To disable at system level:
- Head to Settings > System Settings > Additional Options
- Scroll down and locate the "Additional Sign-in Security" setting
- Set it to No