If enabled, basic authentication Enterprise users may also be authenticated with Multi-Factor Authentication (MFA) via an authentication app (such as the Microsoft Authenticator App) that generates time-based one-time passcodes (TOTP). MFA can be added by individual users in the User Profile Editor or be required by organizations that want to enforce MFA for all users by setting options in the ST_CONFIG table (see below). When MFA is enabled and setup by reading the QR code from the MFA dialog on the Enterprise Login Screen, the TOTP is passed to the user record in the ST_USER table.
Note: If MFA is enabled, MFA will be required for basic user authentication with Enterprise sites, Collect Mobile, Professional, SPM, and EnviroInsite. |
|---|
In the event that a user cannot generate the passcode after MFA is enabled (e.g., loses access to the device/app), an Enterprise administrator can disable or reset MFA for another user with the MFA buttons in the User Profile Editor without needing a passcode.
Login Using MFA
Users enter their Username (or email address) and Password in the Enterprise Login Screen and click the Sign In button. After the username and password credentials have been verified, the MFA dialog window will open and users will need to enter the one-time 6-digit passcode from their MFA app.
If the TOTP-MFA passcode is entered incorrectly, an error message is displayed and the wrong passcode is cleared from the MFA dialog window. Users should enter a passcode again. Once the TOTP-MFA passcode has been verified, the user will be logged into the Enterprise site.
If MFA is enabled/required but not yet setup by the user, the MFA dialog window will include a QR code (and associated character string). The user must read the QR code with their MFA app (or enter the character string associated with the QR code into the TOTP_SECRET field in the ST_USER table record for the user) and then enter the one-time 6-digit passcode from their authentication app. Once the TOTP-MFA code has been verified, the user will be logged into the Enterprise site.
Configuration for MFA
If an organization wants all basic authentication users to also use MFA, the following entry can be added to the ST_CONFIG table to enforce MFA for the entire organization and require users to setup MFA.
CONFIG_SECTION |
CONFIG_KEY |
OBJECT_TYPE |
OBJECT_VALUE |
STRING_VALUE |
|---|---|---|---|---|
Authentication |
Basic |
MFA |
TOTP |
enforce |
When the ST_CONFIG setting is added/changed, the Enterprise site needs to be restarted for the changes to take effect.