Multifactor Authentication

From Charitylog Manual
Jump to: navigation, search

What is Multifactor Authentication (MFA)

Multifactor authentication (MFA) is a security process that requires users to provide two or more verification factors to gain access to a system.

Instead of just entering a password (single-factor authentication), MFA adds extra layers of security by requiring additional factors, which typically fall into three categories:

  • Something you know: This is usually a password or PIN.
  • Something you have: This could be a smartphone, security token, or smart card.
  • Something you are: This involves biometrics, such as a fingerprint, facial recognition, or voice recognition.

By combining multiple factors, MFA makes it much harder for unauthorised users to gain access, even if they have one of the factors, like your password.

Enabling Multifactor Authentication

There are two ways of using MFA in the system. These are:

  • SMS Using SMS requires you to create an account with TextAnywhere and purchase credits. Once done, users will be requested to enter a pin number when logging in, which is sent to their mobile phone.
  • Email Using Email requires you to set up you Email settings for sending emails. Once done, users will be requested to enter a pin number when logging in, which is sent to their email.

To enable MFA, go to Logging in / System access under the Admin Menu.

"a screenshot of the logging in / system access button, highlighted in the admin menu."

Under the Security Rules section, you will find a field labelled "Require an additional PIN sent to the user to complete the login process". From this field you can select:

  • Yes, all users This will require all users to enter a pin when logging in.
  • Yes, selected groups only This allows you to define which user groups are required to enter a pin within Group Access Rights

The field below requires you to input a method. This is where you choose to use Email or SMS.

"A screenshot of the security settings section, showing a field to record the method of MFA"

If you have chosen to only apply MFA to selected groups, you can record which groups are using it via the Group Access option in the Admin Menu.

"A screenshot of the group access button, highlighted in the admin menu"

Select the name of the User Group you wish to enable MFA for. On the Group Options section, set "Is group required to use 2 factor authentication?" to "Yes".

"A screenshot of the group access page, showing the group options section and the field to set that the group is require to use 2 factor authentication"

Using MFA when logging in

Once done, users will be requested to enter a pin when logging in. That pin will either be sent to their mobile device via SMS, or to their Email. The user must have an email address and/or mobile number recorded in their user record for this to work.

Our roadmap for authentication

Expanding the MFA options

We are currently working on adding support for 2 new MFA methods:

  • MFA apps, such as Authy and Microsoft Authenticator. These use a common underlying technology, so any such app is likely to work. Just like the current email and SMS methods, you'll type in the number displayed on your phone each time you log in.
  • Hardware tokens, e.g. Yubikey. These are typically small devices which plug in to a USB port. These negate the need to type the number in, so are a cost effective way to make logging in faster and more secure.

Single Sign-On

Our long term plan is to avoid the need for authentication methods in the system at all, by utilising Single Sign-On (SSO). Many users will be familiar with SSO from websites that offer an option to "Sign-in with your Apple account" or "Sign-in with your Facebook account". Initially this will use your Microsoft account; we may add other company's SSO in later releases.

Retrieved from ‘https://wiki.dizions.co.uk/index.php?title=Multifactor_Authentication&oldid=20683