Setting up multi-factor authentication (MFA) for your employees
Looking for help with this feature in Polaris PSA or Polaris PPM? Check out Setting up multi-factor authentication (MFA) for your employees in the Polaris help.
To heighten security for your Replicon accounts, you can set up multi-factor authentication (MFA) in your system. MFA adds extra layers of protection, beyond a password, in case passwords are in some way compromised.
Replicon supports temporary one-time password (TOTP) and email authentication methods of MFA.
Users can be allowed to set up methods themselves. Administrators can also set up email authentication on behalf of users.
Administrators can also:
- On a per user basis, make using at least one MFA method mandatory
- Choose to either require email authentication every time the user logs in, or to specify a re-verification frequency
MFA authentication is device-specific, so users will need to verify each device they use with Replicon.
MFA only works with Replicon authentication, and doesn’t apply to single-sign on (SSO) users.
About the available MFA methods
There are two methods of MFA available in Replicon:
- Temporary one-time password (TOTP)
With this method, you’ll need to install a third-party authentication app on your cell phone or other device, and will then enter a code generated by this app when you log in. This is generally considered to be more secure than email authentication. - Email authentication
With this method, when you try to log in, you will be emailed a code that you’ll need to enter into the login field before you can finish logging in.
Setting the MFA frequency
To specify how often users need to use email authentication when they log in:
- Go to Administration > System and Security > Security Settings.
- From the Multi-Factor Authentication Timeout setting, choose one of the following:
-
- After 30 days - you can update the number of days to your desired frequency. Users will need to use MFA when they log in if that number of days have passed since their last MFA authentication.
- Always check - users will need to use MFA authentication every time they log in
Making MFA mandatory
To improve the security of your system, you can require users to use an MFA method.
You can enable this functionality for one user at a time, or you can mass edit users to enable this option for many employees at once.
Users with this option enabled will not be able to access Replicon unless they have at least one MFA method enabled. If a user doesn't have at least one MFA method set up, they will be prompted to set one up the first time they log in after the mandatory MFA option is enabled for them. MFA cannot be set up using Replicon Mobile.
If you’re concerned about users losing access to their Replicon account, you might want to enable MFA on their behalf, or communicate the date when you’ll make this change to affected users in advance, to give them a chance to set up MFA before doing so becomes required.
To make MFA mandatory:
- Ensure you’ve either set up email authentication for each user, or you have given them permission to set up MFA.
- Go to Administration> Employees and Organization > Users.
- Select a single user name. Or, to select multiple users, check the boxes beside the users’ names and click Edit.
- In the Multi-Factor Authentication section of the user profile, enable the Require Multi-Factor Authentication to be enabled check box.
Now, when users without an MFA method log in to Replicon, they’ll be shown a page where they’ll be required to set up at least one MFA method before they can access the rest of Replicon.
You can set a default setting for this option that will be applied to any new users you add to Replicon on the Administration > Employees and Organization > User Settings page.
As of October 2022, MFA is mandatory for all Replicon administrators, by default, even if they don't have the Require Multi-Factor Authentication to be enabled permission assigned.
Allowing self-serve setup of MFA
To allow users to enable MFA for themselves:
- Go to Administration > Employees and Organization > Permission Sets.
- In permission sets based on the User type, enable the Edit Multi-Factor Authentication Methods.
- Assign a User permission set to users.
Once a user has this permission enabled, they can set up MFA for their account via their Settings > Security page.
Setting up email authentication
With email authentication, when a user attempts to log in, they’ll be emailed a code that they’ll need to enter into the login field before authentication will proceed.
For a single user
To set up email authentication for a single user:
- Go to Administration > Employees and Organization > Users.
- Select a user.
- On the User Profile tab, from the Multi-Factor Authentication section of the user profile, click Add Authentication Method.
A dialog with an Email Address field displays. This field will be populated with the user’s Replicon email by default.
- Update the user's email address, if necessary.
- Click Add Email Authentication.
A verification email will be sent to the user; they’ll have to click a button in that email to complete setup. You’ll know they’ve completed this step when the Waiting Verification status in their user profile changes to Enabled.
You can also check who's enabled by viewing the Multi-Factor Authentication field on the Users list page or in reports.
For multiple users
You can use the user mass edit feature to set up email authentication for multiple users at once, using the email address already entered in each user’s user profile.
To set up email authentication for multiple users:
- Go to Administration> Employees and Organization > Users.
- Select the check boxes beside the users’ names.
- Click Edit.
- Select this option located on the main user profile page: Enable email authentication using the User’s Email Address.
- Click Save.
A verification email will be sent to each user; they’ll have to click a button in that email to complete setup. You’ll know they’ve completed this step when the Waiting Verification status in their user profile changes to Enabled.
You can also check who's enabled by viewing the Multi-Factor Authentication field on the Users list page or in reports.
Resending verification emails
If you’ve added email authentication for one or more users, but their user profile still says the account is awaiting verification, you can send the verification emails again.
To resend the email for one user, click the Resend Verification Email link on the main page of their user profile.
To resend emails to multiple users, you can use the mass edit users feature:
- Go to Administration > Employees and Organization > Users.
- Select the check boxes beside the users’ names.
- Click Edit.
- Select this option located on the main user profile page: Re-attempt any Authentication Methods Waiting Verification.
- Click Save.
Revoking an authentication method
If you want a user to stop using a particular authentication method, click the Revoke link located beside that method on the main page of their user profile.
FAQs
MFA is mandatory for administrators. How can I check who is an administrator?
The Permission Name field in the User Details default report (or any report based on the User template) shows which permissions are assigned to each user. You can filter this report to show only users assigned Administrator permission sets. Be sure to check for all Administrator-type permissions, since there can be multiple admin profiles.
How can I tell which users are set up with MFA?
You can check users' MFA enablement statuses by viewing the Multi-Factor Authentication field, either:
- On the Administration > Employees and Organization > Users page (click the icon above the table to enable the field)
- In the User Details default report (or any report based on the User template)
Do CloudClock users need to use email verification when scanning in?
No, MFA only applies to administrators when provisioning CloudClock, not to CloudClock end users.
Can we associate more than one MFA email address with a single account?
Yes, you can associate as many email addresses or authenticators as you like with each account, simply select the desired method multiple times to create multiple associations. You'll be able to complete verification with any one of the enabled methods. Just be sure to revoke methods belonging to individuals who shouldn't have access.
Related links
Setting up your multi-factor (2-step) authentication method
Setting up single sign-on
Setting password complexity and expiry rules
Setting up account lockout
Setting user sessions to automatically time out