Setting up multi-factor authentication (MFA)

Looking for help with this feature in Polaris PSA or Polaris PPM? Check out Setting up multi-factor authentication (MFA) in the Polaris help.

To heighten security for your Replicon accounts, you can set up multi-factor authentication (MFA) in your system. MFA adds extra layers of protection, beyond a password, in case passwords are in some way compromised.

Replicon supports temporary one-time password (TOTP) and email authentication methods of MFA.

Users can be allowed to set up methods themselves. Administrators can also set up email authentication on behalf of users.

Administrators can also:

  • On a per user basis, make using at least one MFA method mandatory
  • Choose to either require email authentication every time the user logs in, or to specify a re-verification frequency

MFA authentication is device-specific, so users will need to verify each device they use with Replicon.

MFA only works with Replicon authentication, and doesn’t apply to single-sign on (SSO) users.

Setting the MFA frequency

To specify how often users need to use email authentication when they log in:

  1. Go to Administration > System and Security > Security Settings.
  2. From the Multi-Factor Authentication Timeout setting, choose one of the following:
      • After 30 days - you can update the number of days to your desired frequency. Users will need to use MFA when they log in if that number of days have passed since their last MFA authentication.
      • Always check - users will need to use MFA authentication every time they log in
MFA frequency settings are device-specific. So, if users have to use MFA once a month, they need to use it on their next log in after a month has past on each device they use to access Replicon.

Making MFA mandatory

To improve the security of your system, you can require users to use an MFA method.

You can enable this functionality for one user at a time, or you can mass edit users to enable this option for many employees at once.

Users with this option enabled will not be able to access Replicon unless they have at least one MFA method enabled. If a user doesn't have at least one MFA method set up, they will be prompted to set one up the first time they log in after the mandatory MFA option is enabled for them. MFA cannot be set up using Replicon Mobile.

If you’re concerned about users losing access to their Replicon account, you might want to enable MFA on their behalf, or communicate the date when you’ll make this change to affected users in advance, to give them a chance to set up MFA before doing so becomes required.

To make MFA mandatory:

  1. Ensure you’ve either set up email authentication for each user, or you have given them permission to set up MFA.
  2. Go to Administration> Employees and Organization > Users.
  3. Select a single user name. Or, to select multiple users, check the boxes beside the users’ names and click Edit.
  4. In the Multi-Factor Authentication section of the user profile, enable the Require Multi-Factor Authentication to be enabled check box.

Now, when users without an MFA method log in to Replicon, they’ll be shown a page where they’ll be required to set up at least one MFA method before they can access the rest of Replicon.

You can set a default setting for this option that will be applied to any new users you add to Replicon on the Administration > Employees and Organization > User Settings page.

Allowing self-serve setup of MFA

To allow users to enable MFA for themselves:

  1. Go to Administration > Employees and Organization > Permission Sets.
  2. In permission sets based on the User type, enable the Edit Multi-Factor Authentication Methods.
  3. Assign this permission set to users.

Setting up email authentication

With email authentication, when a user attempts to log in, they’ll be emailed a code that they’ll need to enter into the login field before authentication will proceed.

For a single user

To set up email authentication for a single user:

  1. Go to Administration> Employees and Organization > Users.
  2. Select a user.
  3. On the User Profile tab, from the Multi-Factor Authentication section of the user profile, click Add Authentication Method.

A dialog with an Email Address field displays. This field will be populated with the user’s Replicon email by default.

  1. Update the user's email address, if necessary.
  2. Click Add Email Authentication.

A verification email will be sent to the user; they’ll have to click a button in that email to complete setup. You’ll know they’ve completed this step when the Waiting Verification status in their user profile changes to Enabled.

For multiple users

You can use the user mass edit feature to set up email authentication for multiple users at once, using the email address already entered in each user’s user profile.

To set up email authentication for multiple users:

  1. Go to Administration> Employees and Organization > Users.
  2. Select the check boxes beside the users’ names.
  3. Click Edit.
  4. Select this option located on the main user profile page: Enable email authentication using the User’s Email Address.
  5. Click Save.

Resending verification emails

If you’ve added email authentication for one or more users, but their user profile still says the account is awaiting verification, you can send the verification emails again.

To resend the email for one user, click the Resend Verification Email link on the main page of their user profile.

To resend emails to multiple users, you can use the mass edit users feature:

  1. Go to Administration > Employees and Organization > Users.
  2. Select the check boxes beside the users’ names.
  3. Click Edit.
  4. Select this option located on the main user profile page: Re-attempt any Authentication Methods Waiting Verification.
  5. Click Save.

Revoking an authentication method

If you want a user to stop using a particular authentication method, click the Revoke link located beside that method on the main page of their user profile.


Do CloudClock users need to use email verification when scanning in?

No, MFA only applies to administrators when provisioning CloudClock, not to CloudClock end users.

Related links

Setting up your multi-factor (2-step) authentication method
Setting up single sign-on
Setting password complexity and expiry rules
Setting up account lockout
Setting user sessions to automatically time out